Menu
Amazon Elastic File System
User Guide

Amazon EFS API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each Amazon EFS API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your Amazon EFS policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the elasticfilesystem: prefix followed by the API operation name (for example, elasticfilesystem:CreateFileSystem).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Amazon EFS API and Required Permissions for Actions

Amazon EFS API Operations Required Permissions (API Actions) Resources

CreateFileSystem

elasticfilesystem:CreateFileSystem

For information about KMS-related permissions for encrypted file systems, see Amazon EFS Key Policies for AWS KMS.

arn:aws:elasticfilesystem:region:account-id:file-system/*

CreateMountTarget

elasticfilesystem:CreateMountTarget

ec2:DescribeSubnets

ec2:DescribeNetworkInterfaces

ec2:CreateNetworkInterface

arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id

CreateTags

elasticfilesystem:CreateTags arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
DeleteFileSystem elasticfilesystem:DeleteFileSystem arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
DeleteMountTarget

elasticfilesystem:DeleteMountTarget

ec2:DeleteNetworkInterface

arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
DeleteTags elasticfilesystem:DeleteTags arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
DescribeFileSystems elasticfilesystem:DescribeFileSystems

arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id

or

arn:aws:elasticfilesystem:region:account-id:file-system/*

DescribeMountTargetSecurityGroups

elasticfilesystem:DescribeMountTargetSecurityGroups

ec2:DescribeNetworkInterfaceAttribute

arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
DescribeMountTargets elasticfilesystem:DescribeMountTargets arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
DescribeTags elasticfilesystem:DescribeTags arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id
ModifyMountTargetSecurityGroups

elasticfilesystem:ModifyMountTargetSecurityGroups

ec2:ModifyNetworkInterfaceAttribute

arn:aws:elasticfilesystem:region:account-id:file-system/filesystem-id