How can I use system policies to control access to my EFS file system?

Last updated: 2022-11-17

I want to access my Amazon Elastic File System (Amazon EFS) file system across accounts so that I can share files. How can I do this using AWS Identity and Access Management (IAM) authorization for NFS clients and EFS access points?

Short description

You can mount your Amazon EFS file system by using IAM authorization for NFS clients and access points with the Amazon EFS mount helper. By default, the mount helper uses DNS to resolve the IP address of your mount target. So if you're mounting from another account or Amazon Virtual Private Cloud (Amazon VPC), you must resolve the Amazon EFS mount target IP manually.

Prerequisites

  1. The VPCs of your NFS client and your EFS file system are connected using either a VPC peering connection or a VPC Transit Gateway. This allows Amazon Elastic Compute Cloud (Amazon EC2) instances from the same or different accounts, to access EFS file systems in a different VPC.

  2. Your IAM role (instance role or any other role) has console or read access on both the Amazon EFS and NFS client resources.

  3. The Amazon EFS client and the botocore package are installed in the NFS client.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS Command Line Interface (AWS CLI).

In this example, the EFS file system is present in account A and the NFS client is present in account B.    

1.    To access and mount the cross account EFS file system, add a policy statement in the an IAM policy similar to this:

{
            "Sid": "EfsPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource": "arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id"
        }

This statement allows the IAM role to have mount, write and root access on the EFS file system. If your NFS client is an EC2 instance, attach the IAM role to the instance.

2.    Or, you can assume the role using the AWS CLI. Note that the AWS CLI can't resolve the DNS of an EFS file system present in another VPC. So, first determine the right mount target IP for your client. Then, configure the client to mount the EFS file system using that IP.

To be sure of high availability, always use the mount target IP address in the same Availability Zone (AZ) as your NFS client. AZ name mappings might differ between accounts. Because you're mounting an EFS file system in another account, the NFS client and the mount target must be in the same AZ ID.

To determine the AZ of your EC2 instance, call the DescribeAvailabilityZone API using one of these methods:

  • Log in to the Amazon EC2 console, and choose Instances. Choose, EC2-Instance-ID, and then choose Networking. Under Networking details, you can find the Availability zone.

    -or-

  • Run a command similar to this from the IAM entity that has sufficient read permissions for Amazon EC2 and get a similar output :

$ aws ec2 describe-availability-zones --zone-name `curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`
{
    "AvailabilityZones": [
        {
            "State": "available", 
            "ZoneName": "us-east-2b", 
            "Messages": [], 
            "ZoneId": "use2-az2", 
            "RegionName": "us-east-2"
        }
    ]
}

3.    To determine the mount target IP for the local AZ, all the DescribeMountTargets API using one of these methods:

  • Log in to the Amazon EFS console, and choose File Systems. Choose, EFS-File-System-ID, and then under Network, note the IP address for your Availability zone.

    -or-

  • Run a command similar to this from the IAM entity that has sufficient read permissions for Amazon EC2 and get a similar output :

$ aws efs describe-mount-targets --file-system-id fs-cee4feb7
{
    "MountTargets": [
        {
            "MountTargetId": "fsmt-a9c3a1d0", 
            "AvailabilityZoneId": "use2-az2", 
            "NetworkInterfaceId": "eni-048c09a306023eeec", 
            "AvailabilityZoneName": "us-east-2b", 
            "FileSystemId": "fs-cee4feb7", 
            "LifeCycleState": "available", 
            "SubnetId": "subnet-06eb0da37ee82a64f", 
            "OwnerId": "958322738406", 
            "IpAddress": "10.0.2.153"
        }, 
...
        {
            "MountTargetId": "fsmt-b7c3a1ce", 
            "AvailabilityZoneId": "use2-az3", 
            "NetworkInterfaceId": "eni-0edb579d21ed39261", 
            "AvailabilityZoneName": "us-east-2c", 
            "FileSystemId": "fs-cee4feb7", 
            "LifeCycleState": "available", 
            "SubnetId": "subnet-0ee85556822c441af", 
            "OwnerId": "958322738406", 
            "IpAddress": "10.0.3.107"
        }
    ]
}

4.    From the output you get, note the IP address that corresponds to the mount target in the AZ of the EC2 instance.

5.    Use the IP address you obtained and add the hosts entry in the /etc/hosts file in the NFS client. The format of the DNS name is mount-target-IP-Address file-system-ID.efs.region.amazonaws.com.

See this example command:

$ echo "10.0.2.153 fs-cee4feb7.efs.us-east-2.amazonaws.com" | sudo tee -a /etc/hosts

6.    Mount the EFS file system using the mount helper.

Note: In a cross-account scenario, you can't use the usual NFS command, so botocore and the Amazon EFS client is necessary.

After following these steps, you are able to mount the EFS file system and start using it. If you experience any errors, see the troubleshooting guide.


Did this article help?


Need more help?