Menu
Amazon Elastic File System
User Guide

Managing Amazon EFS File Systems

File system management tasks refer to creating and deleting file systems, managing tags, and managing network accessibility of an existing file system. Managing network accessibility is about creating and managing mount targets.

You can perform these file system management tasks using the Amazon EFS console, AWS Command Line Interface (AWS CLI), or programmatically, as discussed in the following sections.

If you are new to Amazon EFS, we recommend that you try the following exercises that provide you with first-hand end-to-end experience using an Amazon EFS file system:

  • Getting Started – This exercise provides a console-based, end-to-end setup in which you create a file system, mount it on an EC2 instance, and test the setup. The console takes care of many things for you and thus helps you quickly set up the end-to-end experience.

  • Walkthrough 1: Create Amazon EFS File System and Mount It on an EC2 Instance Using the AWS CLI – This walkthrough is similar to the Getting Started exercise, but it uses the AWS CLI to perform most of the tasks. Because the CLI commands closely map to the Amazon EFS API, the walkthrough can help you familiarize yourself with the Amazon EFS API.

Managing Access to Encrypted File Systems

Using Amazon EFS, you can create encrypted file systems. If you create an encrypted file system, data and metadata is encrypted at rest. Amazon EFS uses AWS Key Management Service (AWS KMS) for key management. When you create an encrypted file system, you specify a customer master key (CMK). The CMK can be aws/elasticfilesystem (the AWS-managed CMK for Amazon EFS) or it can be a CMK that you manage.

File data (that is, the contents of your files) is encrypted using the CMK you specified when you created the file system. Metadata (that is, file names, directory names, and directory contents) is encrypted by a key that Amazon EFS manages.

The AWS-managed CMK for your file system is used as the master key for the metadata in your file system, for example file names, directory names, and directory contents. You own the CMK used to encrypt file data (that is, the contents of your files).

You manage who has access to your CMKs and the contents of your encrypted file systems. This access is controlled by both AWS Identity and Access Management (IAM) policies and AWS KMS. IAM policies control a user's access to Amazon EFS API actions. AWS KMS key policies control a user's access to the CMK you specified when the file system was created. For more information, see the following:

As a key administrator, you can import external keys and you can modify keys by enabling, disabling, or deleting them. The state of the CMK that you specified when you encrypted the file system affects access to its contents. The CMK must be in the enabled state for users to have access to the contents of an encrypted file system.

Performing Administrative Actions on Amazon EFS Customer Master Keys

Following, you can find how to enable, disable, or delete the CMKs associated with your Amazon EFS file system. You can also learn about the behavior to expect from your file system when you perform these actions.

Disabling, Deleting, or Revoking Access to the CMK for a File System

You can disable or delete your custom CMKs, or you can revoke Amazon EFS's access to your CMKs. Disabling and revoking access for Amazon EFS to your keys are reversible actions. Significant caution should be exercised when deleting CMKs. Deleting a CMK is an irreversible action.

If you disable or delete the CMK used for your mounted file system, the following is true:

  • That CMK can't be used as the master key for new encrypted file systems.

  • Existing encrypted file systems that use that CMK will stop working after a period of time.

If you revoke Amazon EFS's access to a grant for any existing mounted file system, the behavior is the same as if you disabled or deleted the associated CMK. In other words, the encrypted file system continues to function, but will stop working after a period of time.

To prevent access to a mounted encrypted file system that has a CMK that you've disabled, deleted, or revoked Amazon EFS's access to, unmount the file system and delete your Amazon EFS mount targets.

You can't immediately delete an AWS KMS key, but you can instead schedule a key to be deleted. The earliest a CMK can be deleted is seven days after the key has been scheduled for deletion. When a key is scheduled for deletion, it behaves as if it is disabled. You can also cancel a key's scheduled deletion. For more information on deleting a master key in AWS KMS, see Deleting Customer Master Keys in the AWS Key Management Service Developer Guide.

The following procedure outlines how to disable a CMK.

To disable a CMK

  1. Open the Encryption Keys section of the IAM console at https://console.aws.amazon.com/iam/home#encryptionKeys.

  2. For Region, choose the appropriate AWS Region. Don't use the region selector in the navigation bar (top right corner).

  3. Select the check box or boxes next to the alias of the CMK or CMKs that you want to disable.

    Note

    You can't disable AWS-managed CMKs, which are denoted by the orange AWS icon.

  4. To disable a CMK, choose Key actions, Disable.

The following procedure outlines how to enable a CMK.

To enable a CMK

  1. Open the Encryption Keys section of the IAM console at https://console.aws.amazon.com/iam/home#encryptionKeys.

  2. For Region, choose the appropriate AWS Region. Don't use the region selector in the navigation bar (top right corner).

  3. Select the check box or boxes next to the alias of the CMK or CMKs that you want to enable.

    Note

    You can't enable AWS-managed CMKs, which are denoted by the orange AWS icon.

  4. To enable a CMK, choose Key actions, Enable.