How can I grant directory access to specific EC2 instances using IAM and EFS access points?

Last updated: 2020-09-02

I want to grant directory access to specific Amazon Elastic Compute Cloud Amazon (Amazon EC2) instances. How can I use AWS Identity and Access Management (IAM) roles and policies and Amazon Elastic File System (Amazon EFS) access points to do this?

Short description

Amazon EFS access points allow you to use the same file system for different instances while granting access to required directories only. To use access points and IAM to control access to your directories, you must:

  1. Create Amazon EFS access points for your file system.
  2. Create IAM policies for each instance granting ClientMount and ClientWrite permissions and then create roles for the policies.
  3. Create an EFS policy for your file system.
  4. Test your configuration.

Requirements

1.    You must have two EC2 instances in the same VPC used for your file system (or make sure they can reach your file system). Consider using the latest Amazon Linux 2 AMI. The security group attached to the instances must allow outbound access on port 2049 towards your EFS.

2.    Use the following mount command to verify that your setup is properly configured. This command mounts your file system into both EC2 instances. Replace the example file system with your file system:

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-8ce001b4. efs.ap-southeast-2.amazonaws.com:/ /efs

3.    Run the umount command on your file system and all of your instances or you might get I/O errors later if you make a mistake when applying the EFS policy:

sudo umount /efs

4.    Using access points and IAM policies on Amazon EFS requires the amazon-efs-utils tool. Run the following command to install amazon-efs-utils.

sudo yum install -y amazon-efs-utils

If you're running a distribution other than Amazon Linux 2 and need installation instructions for amazon-efs-utils, see Installing the amazon-efs-utils package on other Linux distributions

Resolution

Keep the following in mind:

  • The following resolution assumes you've already created an Amazon EFS without access points or any IAM policy. Make sure the security group attached to your file system allows inbound access on port 2049 for the instances in use.
  • The following resolution provides examples at some steps. The example names are APP_team and DB_team. Replace these example names with your resource names.

Create Amazon EFS access points

1.    Open the Amazon EFS console.

2.    Choose File systems, select the file system you want to manage access for, and then choose View details.

3.    Choose Access points, and then choose Create access point.

4.    Create the first access point by entering a Name and Root directory path.

Example

Name: App_team_AP
Root directory path: /App_team

5.    Choose Create access point.

6.    Repeat steps 2 through 4 to create a second access point:

Example

Name: DB_team_AP
Root directory path: /DB_team

7.    Choose Create access point. Note the access point IDs. An access point ID is similar to the following example:

fsap-0093c87d798ae5ccb

Note: You can also use an access point to enforce POSIX user identities (user IDs and group IDs) for all file system requests made through the access point. To enable this feature, specify the user and group ID when you create the access point. For more information, see Enforcing a user identify using an access point.

Create IAM policies and roles for your instances

1.    Open the IAM console.

2.    Create IAM policies for each instance. The following policies grant ClientMount and ClientWrite permissions. You can use these policies as a reference. Replace the value shown in Resource in these examples with your resource's ARN and replace the file system ID and access point ID with the correct values.

Example: App_team_policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-0093c87d798ae5ccb"
                }
            }
        }
    ]
}

Example: DB_team_policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-054969ebbe52a6121"
                }
            }
        }
    ]
}

3.    Choose Roles, and then choose Create role.

4.    Choose EC2 as your use case, and then choose Next: Permissions.

5.    Select one of the policies you just created, and then choose Next: Tags.

6.    Choose Next: Review.

7.    Enter a Role name, and then choose Create role.

Example

Role name: App_team_role
Policy: App_team_policy

8.    Repeat steps 3-7 for the second policy.

Example

Role name: DB_team_role
Policy: DB_team_policy

Create an EFS policy

1.    Open the Amazon EFS console.

2.    Choose File systems, select your file system, and then choose View Details.

3.    Choose File system policy, and then choose Edit in the Policy section.

4.    Add the following policy to allow ClientMount and ClientWrite for the access points you created. Make sure you update Resource with your resource's ARN and replace the file system ID and access point ID with the correct values.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::123456789012:instance-profile/DBA_team_role",
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-054969ebbe52a6121"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::123456789012:instance-profile/App_team_role",
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-0093c87d798ae5ccb"
                }
            }
        }
    ]
}

5.    Choose Save. Your file system is ready to use.

Test your configuration

1.    Access your instance (DB_team instance, in this example) without attaching any IAM role to the instance.

2.    Attempt to mount your file system. You receive an error message similar to the following:

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-8ce001b4.efs.ap-southeast-2.amazonaws.com:/ /efs

mount.nfs4: access denied by server while mounting fs-8ce001b4.efs.ap-southeast-2.amazonaws.com:/

3.    Assign the role you created for this instance (DB_team_role in this example) to the DB_team instance using the Amazon EC2 console. For instructions, see How do I assign an existing IAM role to an EC2 instance?

4.    Mount your file system using the first access point you created (App_team_AP in this example):

sudo mount -t efs -o tls,accesspoint=fsap-0093c87d798ae5ccb,iam fs-8ce001b4:/ /efs

mount.nfs4: access denied by server while mounting 127.0.0.1:/

5.    Run the umount command to unmount the file system:

sudo umount /efs

6.    Run the mount command to mount your file system using the second access point you created (DB_team_AP in this example). The file system mounts successfully because your instance role is granting you permissions:

sudo mount -t efs -o tls,accesspoint=fsap-054969ebbe52a6121,iam fs-8ce001b4:/ /efs

7.    SSH into the App_team instance and perform the preceding steps. You can't mount the file system using DB_team_AP while using the App_team_role.

Your file system now allows mounts only when the EC2 instance involved is using the required IAM role.


Did this article help?


Do you need billing or technical support?