How can I grant directory access to specific EC2 instances using IAM and EFS access points?

Last updated: 2023-01-18

I want to use AWS Identity and Access Management (IAM) and Amazon Elastic File System (Amazon EFS) to grant directory access to specific Amazon Elastic Compute Cloud Amazon (Amazon EC2) instances.

Short description

Use the same file system for different instances and grant access to specific directories with Amazon EFS access points. To use access points and IAM to control access to your directories, do the following:

1.    Create Amazon EFS access points for your file system.

2.    Grant ClientMount and ClientWrite permissions to create IAM policies for each instance. Then, create roles for the policies.

3.    Create an Amazon EFS policy for your file system.

4.    Test your configuration.

Resolution

Requirements

1.    You must have two Amazon EC2 instances in the same VPC used for your file system—or, you must make sure that the instances can reach your file system. It’s a best practice to use the latest Amazon Linux 2 AMI. The security group attached to the instances must allow outbound access on port 2049 towards your Amazon EFS.

2.    Before mounting your file system, add a rule to the mount target security group that allows inbound NFS access from the Amazon EC2 security group. For more information, see Using VPC security groups for Amazon EC2 instances and mount targets.
Note: It’s a best practice to use the file system's DNS name as your mounting option. The file system DNS name automatically resolves to the mount target’s IP address in the Availability Zone of the connecting EC2 instance. Get the file system DNS name from the console. Or, if you have the file system ID, then construct the file system DNS name using the following example:

file-system-id.efs.aws-region.amazonaws.com

3.    To test the connection from your client system where you mount to the EFS FQDN or the short name, you must do one of the following:

  • Perform telnet 2049.
  • Mount the EFS as an NFS type using the EFS FQDN where amazon-efs-utils aren't required.

The following command mounts your file system into both EC2 instances:

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport file-system-id.efs.ap-southeast-2.amazonaws.com:/ /efs

Note: Replace the example file system with your file system.

If you test by mounting, then after it's mounted, run the umount command on your file system and on all of your EC2 instances. If umount isn't run, then I/O errors occur if you make a mistake when applying the EFS policy later on:

sudo umount /efs

4.    Using access points and IAM policies on Amazon EFS requires the amazon-efs-utils tool. Run the following command to install amazon-efs-utils:

sudo yum install -y amazon-efs-utils

If you run a distribution other than Amazon Linux 2 and need installation instructions for amazon-efs-utils, see Using the amazon-efs-utils tools. Also, verify the source code from a third-party such as GitHub.

Create Amazon EFS access points

Important: This resolution assumes that you already created an Amazon EFS without access points or any IAM policy. Make sure that the security group attached to your file system allows inbound access on port 2049 for the EC2 instances in use.

Note: Replace the example names (APP_team and DB_team) with your resource names.

1.    Open the Amazon EFS console.

2.    Choose File systems, select the file system that you want to manage access for, and then choose View details.

3.    Choose Access points, and then choose Create access point.

4.    Create the first access point by entering a Name and Root directory path. For example:

Name: App_team_AP

Root directory path: /App_team

Note: Amazon EFS creates an access point root directory only if the OwnUid, OwnGID, and permissions are specified for the directory. If you don't provide this information, then Amazon EFS doesn't create the root directory. If the root directory doesn't exist, then attempts to mount using the access point will fail with an error message such as "'b'mount.nfs4: access denied by server while mounting 127.0.0.1:/".

If you don't specify the ownership and permissions for an access point root directory, then Amazon EFS won't create the root directory. All attempts to mount the access point will fail, with the error "access denied". For more information, see Enforce root directory access point in EFS.

5.    Choose Create access point.

6.    Repeat steps 2 through 4 to create a second access point. For example:

Name: DB_team_AP

Root directory path: /DB_team

7.    Choose Create access point.

8.    Note the access point IDs. An access point ID is similar to the following example:

Access point ID: fsap-0093c87d798ae5ccb

Note: You also can use an access point to enforce POSIX identities (user IDs, group IDs) for all file system requests made through the access point. To activate this feature, specify the user and group ID when you create the access point. For more information, see Enforcing a user identify using an access point.

Create IAM policies and roles for your instances

1.    Open the IAM console.

2.    Create IAM policies for each instance. The following policies grant ClientMount and ClientWrite permissions. You can use these policies as a reference. First, replace the value shown in Resource in these examples with your resource's ARN. Then, replace the file system ID and access point ID with the correct values. For example:

App_team_policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:ClientMount",
        "elasticfilesystem:ClientWrite"
      ],
      "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-0093c87d798ae5ccb"
        }
      }
    }
  ]
}

DB_team_policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:ClientMount",
        "elasticfilesystem:ClientWrite"
      ],
      "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-054969ebbe52a6121"
        }
      }
    }
  ]
}

3.    Choose Roles, and then choose Create role.

4.    Choose EC2 as your use case, and then choose Next: Permissions.

5.    Select one of the policies that you just created, and then choose Next: Tags.

6.    Choose Next: Review.

7.    Enter a Role name, and then choose Create role. For example:

Role name: App_team_role

Policy: App_team_policy

8.    Repeat steps 3-7 for the second policy. For example:

Role name: DB_team_role

Policy: DB_team_policy

Create an EFS policy

1.    Open the Amazon EFS console.

2.    Choose File systems, select your file system, and then choose View Details.

3.    Choose File system policy, and then choose Edit in the Policy section.

4.    Add the following policy to allow ClientMount and ClientWrite for the access points that you created. Make sure you update Resource with your resource's ARN and replace the file system ID and access point ID with the correct values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "elasticfilesystem:ClientMount",
        "elasticfilesystem:ClientWrite"
      ],
      "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:iam::123456789012:role/DBA_team_role",
          "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-054969ebbe52a6121"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "elasticfilesystem:ClientMount",
        "elasticfilesystem:ClientWrite"
      ],
      "Resource": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:file-system/fs-8ce001b4",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:iam::123456789012:role/App_team_role",
          "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:ap-southeast-2:123456789012:access-point/fsap-0093c87d798ae5ccb"
        }
      }
    }
  ]
}

5.    Choose Save. Your file system is ready to use.

Test your configuration

1.    Access your Amazon EC2 instance (DB_team instance, in this example) without attaching any IAM role to the Amazon EC2 instance.

2.    Attempt to mount your file system using mount command as NFS type. If you have a file system level resource-based access policy, then you receive an error message similar to the following:

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-8ce001b4.efs.ap-southeast-2.amazonaws.com:/ /efs
        
mount.nfs4: access denied by server while mounting fs-8ce001b4.efs.ap-southeast-2.amazonaws.com:/

3.    Assign the role that you created for this Amazon EC2 instance (DB_team_role in this example) to the DB_team Amazon EC2 instance using the Amazon EC2 console. For more information, see How do I assign an existing IAM role to an EC2 instance? If you can't assign a role to an Amazon EC2 instance as a profile role, then you can mount IAM using a named profile as a mount option along with an access point. For example:

sudo mount -t efs -o tls,iam,awsprofile=namedprofile,accesspoint=fsap- file-system-id efs-mount-point/

4.    Run the mount command to mount your file system using the second access point that you created (DB_team_AP in this example). If the file system mounts successfully, then your instance role is granting you permissions:

sudo mount -t efs -o tls,accesspoint=fsap-054969ebbe52a6121,iam fs-8ce001b4:/ /efs

5.    Run the umount command to unmount the file system:

sudo umount /efs

6.    Mount your file system using the first access point that you created (App_team_AP, for example) from the same Amazon EC2 instance that DB_team_role is assigned to. As expected, the mount operation is denied because of EFS access policy and IAM role calling:

sudo mount -t efs -o tls,accesspoint=fsap-0093c87d798ae5ccb,iam fs-8ce001b4:/ /efs 

mount.nfs4: access denied by server while mounting 127.0.0.1:/

7.    Use SSH to connect into the App_team instance, and perform the preceding steps. You can't mount the file system using DB_team_AP while using the App_team_role.

Your file system now allows mounts only when the EC2 instance involved is using the required IAM role.

sudo mount -t efs -o tls,accesspoint=fsap-0093c87d798ae5ccb,iam fs-8ce001b4:/ /efs

Did this article help?


Do you need billing or technical support?