How can I use system policies to control access to my EFS file system?

5 minute read
0

I want to access my Amazon Elastic File System (Amazon EFS) file system across AWS accounts so that I can share files. I want to use AWS Identity and Access Management (IAM) authorization for Network File System (NFS) clients and EFS access points.

Short description

To access your Amazon EFS file system, use IAM authorization for NFS clients and access points. To mount the EFS file system, use the Amazon EFS mount helper. By default, the mount helper uses DNS to resolve the IP address of your mount target. If you mount from another account or Amazon Virtual Private Cloud (Amazon VPC), then you must manually resolve the Amazon EFS mount target IP address.

Prerequisites:

  • Connect the VPCs of your NFS client and your EFS file system with either a VPC peering connection or a VPC Transit Gateway. This connection allows Amazon Elastic Compute Cloud (Amazon EC2) instances from the same or different accounts to access EFS file systems in a different VPC.
  • Give your IAM role console or read access on both the Amazon EFS and NFS client resources.
  • Install the Amazon EFS client and the botocore package in the NFS client.
    Note: In a cross-account scenario, you can't run the usual NFS command, so the botocore package and Amazon EFS client are required.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Grant permissions to access and mount the cross-account EFS file system

To grant permissions to access and mount the cross-account EFS file system, either add a statement to your IAM policy, or use the AWS CLI to assume the role.

Add a policy statement

Add the following policy statement in the IAM policy:

{            "Sid": "EfsPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource": "arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id"
        }

Note: The preceding example statement allows the IAM role to have mount, write, and root access on the EFS file system. If your NFS client is an EC2 instance, then attach the IAM role to the instance.

Use the AWS CLI

To use the AWS CLI to assume the role, see How do I assume an IAM role using the AWS CLI?

Because the AWS CLI can't resolve the DNS of an EFS file system that's in another VPC, you must determine the right mount target IP address for your client. Then, configure the client. To mount the EFS file system, use the mount target IP address that's in the same Availability Zone as your NFS client. Availability Zone name mappings might differ between accounts. When you mount an EFS file system in another account, the NFS client and the mount target must be in the same Availability Zone.

Determine the Availability Zone of your EC2 instance

To determine the Availability Zone of your EC2 instance, use either the Amazon EC2 console or the AWS CLI.

Use the Amazon EC2 console

Complete the following steps:

  1. Open the Amazon EC2 console.
  2. Choose Instances.
  3. Choose EC2-Instance-ID, and then choose Networking.
  4. Under Networking details, find the Availability Zone.

Use the AWS CLI

Run the describe-availability-zones command from the IAM entity that has sufficient read permissions for Amazon EC2:

$ aws ec2 describe-availability-zones --zone-name `curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`{
    "AvailabilityZones": [
        {
            "State": "available", 
            "ZoneName": "us-east-2b", 
            "Messages": [], 
            "ZoneId": "use2-az2", 
            "RegionName": "us-east-2"
        }
    ]
}

Determine the mount target IP address for the local Availability Zone

To determine the mount target IP address for the local Availability Zone, use either the Amazon EFS console or the AWS CLI.

Use the Amazon EFS console

Complete the following steps:

  1. Open the Amazon EFS console.
  2. choose File Systems.
  3. Choose EFS-File-System-ID.
  4. Under Network, note the IP address for your Availability Zone.

Use the AWS CLI

Complete the following steps:

  1. Run the describe-mount-targets command from the IAM entity that has sufficient read permissions for Amazon EC2:

    $ aws efs describe-mount-targets --file-system-id fs-cee4feb7{
        "MountTargets": [
            {
                "MountTargetId": "fsmt-a9c3a1d0", 
                "AvailabilityZoneId": "use2-az2", 
                "NetworkInterfaceId": "eni-048c09a306023eeec", 
                "AvailabilityZoneName": "us-east-2b", 
                "FileSystemId": "fs-cee4feb7", 
                "LifeCycleState": "available", 
                "SubnetId": "subnet-06eb0da37ee82a64f", 
                "OwnerId": "958322738406", 
                "IpAddress": "10.0.2.153"
            }, 
    ...
            {
                "MountTargetId": "fsmt-b7c3a1ce", 
                "AvailabilityZoneId": "use2-az3", 
                "NetworkInterfaceId": "eni-0edb579d21ed39261", 
                "AvailabilityZoneName": "us-east-2c", 
                "FileSystemId": "fs-cee4feb7", 
                "LifeCycleState": "available", 
                "SubnetId": "subnet-0ee85556822c441af", 
                "OwnerId": "958322738406", 
                "IpAddress": "10.0.3.107"
            }
        ]
    }
  2. From the preceding output, note the IP address that corresponds to the mount target in the instance's Availability Zone.

Add the hosts entry to the /etc/hosts file and mount the EFS file system

Complete the following steps:

  1. Run the following command to add the hosts entry to the /etc/hosts file in the NFS client:
    $ echo "10.0.2.153 fs-cee4feb7.efs.us-east-2.amazonaws.com" | sudo tee -a /etc/hosts
    Note: In the preceding command, the format of the DNS name is mount-target-IP-Address file-system-ID.efs.region.amazonaws.com. Replace the example IP address with the mount target's IP address.
  2. Use the mount helper to mount the EFS file system.

If you experience issues when you're mounting the file system, then see Troubleshooting mount issues.

Related information

Creating file system policies

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago