Restricting access only to specific EFS folders per IAM user.


Hello everyone, The scenario: I have an EFS that contains various folders and subfolders. I also have multiple Linux users (more than 50) for which I have also IAM users defined with some non-relative policies for S3 and other services.

My problem: I want to give permissions to specific users to be able to access (read/write/execute) on specific subfolders in the EFS.

Non-working solutions: One possible way (the typical one) would have been to set groups, assign users to the groups and then give the corresponding access to the subfolders I want, to these specific groups. However, for NFS access, Linux users by default cant be members to more than 16 groups. Otherwise groups are not recognized properly on NFS. My scenario would require, possibly, a user to be able to access more than 20 subfolders which would require him to be member in 20+ groups. This makes the group solution as not an option.

Maybe another solution would have been to set resource-based policies on the EFS, but the resource-based policies are up to 20K characters. So this is not an option for me neither, since i have more than 50 users, and defining that resource-based policy would require much more characters. Also, I am pretty sure that with Resource based policy I cant grant access to specific subfolders while denying to others.

My obvious question: How can i do this? How can specific users access specific subfolders of an EFS? Thank you so much.

2 Answers

I think you are looking for Access Points on EFS, Working with Amazon EFS access points.

profile pictureAWS
answered a year ago
  • I am not so sure how to to do this. I mean in the very end, with AP, i will also have to define users and groups right? but doesn't that mean that i will fall back to the old problem of maximum 16 groups per user? Would be Ideal if that could be managed with IAM policies. so that linux users can have access r/w/x to specific folders. any idea?


From the Linux side, have you thought about using ACLs in addition to the basic file & directory ownership & permissions? So if you have 20 directories, a user doesn't need to be 20 different groups - with ACLs he needs to be in only one group, and that group can have an ACL entry in each of the 20 directories. Other users that require the same level of access can be put in the same group.

It's still going to need a bit of planning and forethought, but will likely be more manageable than what you describe above.

I must also caution that although I have used this approach when working with lots of users needing access to areas of directory trees on local storage, I haven't used it on EFS and/or NFSv4. So I can't guarantee there's not some technical constraint that will prevent this approach from working (though if that happens it would be interesting to know why it doesn't).

profile picture
answered a year ago
  • Thanks, that would be ideal but unfortunately EFS doesnt support ACL.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions