Suggestion: create separate Security Group for EFS Server's file system

[miaeyg]

When electing to use an AWS EFS Server as the shared file storage instead of the NFS Server then this EFS File System is assigned the <prefix>-eks_worker_sg security group.

I think the EFS file system deserves to get its own separate security group which allows only NFS access to it.

Here is a screenshot of how it looks like now:

[dhoucgitter]

Hi @miaeyg, could you include some of the reasons you think having a separate SG for the EFS file system than what is already in place would be an advantage, thanks.

[miaeyg]

Hi David,

Since all components deployed by TF have their own dedicated Security Group which is inline with AWS’ best practice of least-privilege permissions so I think EFS should follow the same principal and have its own dedicated security group with only the permission appropriate for it and not use the EKS worker’s security groups which has different requirements.

Regards, Eyal

From: David Houck @.> Sent: Wednesday, 3 April 2024 16:05 To: sassoftware/viya4-iac-aws @.> Cc: Eyal Gonen @.>; Mention @.> Subject: Re: [sassoftware/viya4-iac-aws] Suggestion: create separate Security Group for EFS Server's file system (Issue #280)

EXTERNAL MAIL

Hi @miaeyghttps://github.com/miaeyg, could you include some of the reasons you think having a separate SG for the EFS file system than what is already in place would be an advantage, thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/sassoftware/viya4-iac-aws/issues/280#issuecomment-2034550962, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMSUNY4MLDBYFSU2RTQ4RSLY3P47DAVCNFSM6AAAAABFUYQO7SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZUGU2TAOJWGI. You are receiving this because you were mentioned.Message ID: @.**@.>>

[dhoucgitter]

Hi @miaeyg, would you be able to fork the IAC AWS project, create a development branch and PR to implement the changes that you are looking for?