Which solution will meet these requirements?
Mount the EFS file system in read-only mode from within the EC2 instances.
Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.
Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action on the EFS file system.
Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory.
Explanations:
Mounting the EFS file system in read-only mode from within the EC2 instances can limit access temporarily, but it is not an IAM-based control and does not prevent the application from remounting in read-write mode.
A resource policy on the EFS file system that denies theelasticfilesystem:ClientWriteaction to the EC2 IAM roles will effectively prevent any write operations, satisfying the requirement to use IAM for access control.
IAM identity policies do not apply directly to EFS file systems; they apply to actions that the IAM principal can perform, not resource-level actions like file access.
POSIX permissions are not IAM-based and require additional management complexity. IAM-based controls were specified, so this approach does not meet the requirement.
If I had to guess, I’d say the answer is:
Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.