Improve security by restricting the EFS mount

noexec: Do not permit direct execution of any binaries on the mounted filesystem. nodev: Do not interpret character or block special devices on the file system. nosuid: Do not honor set-user-ID and set-group-ID bits or file capabilities when executing programs from this filesystem.

Improve security by restricting the EFS mount
noexec: Do not permit direct execution of any binaries on the mounted filesystem. nodev: Do not interpret character or block special devices on the file system. nosuid: Do not honor set-user-ID and set-group-ID bits or file capabilities when executing programs from this filesystem.
4a555542 · Craig Andrews · 55b94b0f · 4a555542 · 4a555542
Commit 4a555542 authored Oct 02, 2019 by Craig Andrews
--- a/beanstalk/.ebextensions/storage-efs-mountfilesystem.config
+++ b/beanstalk/.ebextensions/storage-efs-mountfilesystem.config
@@ -36,7 +36,8 @@ files:
      $(/opt/elasticbeanstalk/bin/get-config environment -k EFS_FILE_SYSTEM_ID)

      [ ! -d /efs ] && mkdir /efs && chown versionpress:versionpress /efs
-      mountpoint -q /efs || mount -t efs "${EFS_FILE_SYSTEM_ID}":/ /efs -o fsc
+      mountpoint -q /efs || \
+        mount -t efs "${EFS_FILE_SYSTEM_ID}":/ /efs -o fsc,noexec,nodev,nosuid
      chown versionpress:versionpress /efs
      chmod 777 /efs


--- a/cloudformation.json
+++ b/cloudformation.json
@@ -1714,7 +1714,7 @@
 											{
 												"Ref": "FileSystem"
 											},
-											":/ /efs efs _netdev,fsc\" >> /etc/fstab"
+											":/ /efs efs _netdev,fsc,noexec,nodev,nosuid\" >> /etc/fstab"
 										]
 									]
 								},