Exposure Scanner Scan My Account
Exposure Scanner / Amazon EFS

EFS File System Exposure

Are your EFS file systems accessible from unintended networks?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
fs-0a1b2c3d4e5f6a7b8
EFS mount target security group allows NFS (port 2049) from 0.0.0.0/0
High
fs-09d8c7b6a5e4f3d2
EFS file system policy does not enforce encryption in transit (aws:SecureTransport)
Medium
fs-01a2b3c4d5e6f7a8
EFS file system has no file system policy - defaults allow root access from any client

What does Amazon EFS public exposure mean?

EFS file systems use mount targets in VPC subnets. Without proper security group restrictions and file system policies, any instance in the VPC - or even instances in peered VPCs - can mount and access your shared file storage.

Why it matters

EFS often contains application data, configuration files, and shared resources. Unrestricted NFS access within a VPC means any compromised instance can read and modify shared data.

How to check manually

  1. 1Review security groups on EFS mount targets
  2. 2Check EFS file system policies for IAM restrictions
  3. 3Verify encryption in transit is enforced
  4. 4Review access points for proper POSIX permissions

Quick check with AWS CLI

List EFS file systems and their encryption status
aws efs describe-file-systems --query "FileSystems[].{Id:FileSystemId,Name:Name,Encrypted:Encrypted,LifeCycleState:LifeCycleState}"
Check mount target security groups for a file system
aws efs describe-mount-targets --file-system-id YOUR_FS_ID --query "MountTargets[].{Id:MountTargetId,SubnetId:SubnetId}" --output text | xargs -I {} aws efs describe-mount-target-security-groups --mount-target-id {}
Check the file system policy for public access
aws efs describe-file-system-policy --file-system-id YOUR_FS_ID --query "Policy"

Common misconfigurations

Mount target security group allowing NFS from 0.0.0.0/0
No file system policy restricting root access
Encryption in transit not enforced
Access points without proper UID/GID restrictions

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon EC2
Are your EC2 instances accessible from the internet through open security groups?
Amazon VPC
Does your VPC configuration allow unintended internet access?
AWS IAM
Are your IAM policies granting access more broadly than intended?