Posted On: Dec 19, 2019

Today, Amazon Elastic File System (Amazon EFS) is introducing support for using AWS Identity and Access Management (IAM) service-linked roles, a type of IAM role that allows you to easily delegate permissions to AWS services and gain additional transparency into when they are used on your behalf.

The EFS service-linked role is predefined by Amazon EFS and includes permissions that the service requires to use other AWS services on your behalf. Examples include creating and deleting the Amazon Elastic Compute Cloud (Amazon EC2) Elastic Network Interfaces (ENIs) that Amazon EFS uses for the mount targets you use to access your EFS file systems.

Unlike a normal IAM role, you cannot delete the service-linked role if it is still in use by an Amazon EFS file system. This protects you from inadvertently revoking Amazon EFS's required permissions to your resources. The addition of a service-linked role to Amazon EFS also helps with monitoring and auditing requirements in AWS CloudTrail by logging actions performed by Amazon EFS against its service-linked role.

The Amazon EFS service-linked role is available in all AWS regions where Amazon EFS is available, at no additional charge. To learn more about Amazon EFS and its service linked role, please visit the Amazon EFS user guide.