Posted On: Jan 13, 2020
You can now use AWS Identity and Access Management (IAM) to manage Network File System (NFS) access for Amazon Elastic File System (Amazon EFS). You can use IAM roles to identify NFS clients with cryptographic security and use IAM policies to manage client-specific permissions. This new capability provides a simplified way to manage access at scale in NFS environments and is complementary to network-based security controls. With IAM for NFS clients you can use the same tools and processes you use today for managing access to other AWS resources. Permission checks are logged to AWS CloudTrail so you can audit client access to your file system.
Using IAM for NFS clients is easy. With just a few clicks in the EFS console, you can apply common policies to your file system such as disabling root access, enforcing read-only access, or enforcing that all connections to your file system are encrypted. You can also apply more advanced policies such as granting access to specific IAM roles, including those in other AWS accounts. To use policies that grant access to specific IAM roles, enable your NFS clients to share their IAM identity with EFS by downloading the updated mount helper from Github and mounting your file system with the ‘-o iam’ mount option.
IAM for NFS clients is available today in all regions where Amazon EFS is available, at no additional charge.