List access points and find any with a RootDirectory of "/" using describe-access-points. Because access points are immutable, create a replacement scoped to a subdirectory, using CreationInfo so EFS auto-provisions the path with the right ownership and permissions. Repoint consumers at the new access point. Delete the old access point and add a guardrail so future ones are scoped.

Compliance Medium severity

AWS Security Hub · EFS

EFS.3: EFS access points should enforce a root directory

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub EFS.3 check?

EFS.3 checks that EFS access points enforce a non-root root directory. It reports FAILED when an access point's root directory is "/", which gives clients the whole file system instead of a scoped subtree.

Why does EFS.3 matter?

An access point exists to chroot a client into an isolated subtree of shared storage. When its root is "/", that isolation is gone — every tenant or workload using the access point can reach every other tenant's data, defeating the point of using access points at all.

How do I fix EFS.3?

List access points and find any with a RootDirectory of "/" using describe-access-points.
Because access points are immutable, create a replacement scoped to a subdirectory, using CreationInfo so EFS auto-provisions the path with the right ownership and permissions.
Repoint consumers at the new access point.
Delete the old access point and add a guardrail so future ones are scoped.

Remediation script · bash

# 1. Create the scoped replacement (matches the original PosixUser, adds CreationInfo).
NEW=$(aws efs create-access-point \
  --file-system-id fs-0a1b2c3d4e5f67890 \
  --posix-user Uid=1001,Gid=1001 \
  --root-directory 'Path=/reports,CreationInfo={OwnerUid=1001,OwnerGid=1001,Permissions=0750}' \
  --tags Key=Name,Value=reports-scoped \
  --query 'AccessPointId' --output text)
echo "New access point: $NEW"

# 2. Repoint the Lambda consumer at the new access point, then validate before deleting.
aws lambda update-function-configuration \
  --function-name reporting-svc \
  --file-system-configs Arn=arn:aws:elasticfilesystem:us-east-1:111122223333:access-point/$NEW,LocalMountPath=/mnt/reports

# 3. Only after a successful read/write smoke test, retire the non-compliant access point.
aws efs delete-access-point --access-point-id fsap-0reports11aa22

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce a root directory on EFS access points.

Is EFS.3 a false positive?

You cannot edit an access point's root directory — remediation is always create-scoped-replacement, repoint, delete-old.

Full lesson Enforce a root directory on EFS access points Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for EFS controls ↗ Check your own account for EFS.3 →

EFS.1 EFS data is not encrypted at rest
EFS.2 EFS has no automatic backups
EFS.4 EFS access points should enforce a user identity
EFS.6 Mount targets not in public-IP subnets
EFS.7 EFS file systems should have automatic backups
EFS.8 EFS file systems should be encrypted at rest