Amazon Elastic File System
User Guide


Following, you can find a description of security considerations for working with Amazon EFS. There are four levels of access control to consider for Amazon EFS file systems, with different mechanisms used for each.

AWS Identity and Access Management (IAM) permissions for API calls

This section describes security considerations for working with Amazon EFS. There are three levels of access control to consider for Amazon EFS file systems, with different mechanisms used for each.

Example: IAM user Alice has permissions to retrieve descriptions of all file systems in her parent AWS account, but she is only allowed to manage the security groups for one of them, file system ID fs-12345678.

File systems are created, managed, and deleted with calls to the Amazon EFS API. If the caller is using credentials for an AWS Identity and Access Management (IAM) user or assumed role, each API call requires that the caller have permissions for the action being called in its IAM policy. Some API actions support policy permissions specific to the file system that is the object of the call (that is, resource-level permissions).  API calls made with an account's root credentials have permissions for all API actions on file systems owned by the account.  For more information about IAM permissions with the Amazon EFS API, see Authentication and Access Control for Amazon EFS.

Security Groups for EC2 Instances and Mount Targets

When using Amazon EFS, you specify Amazon EC2 security groups for your EC2 instances and security groups for the EFS mount targets associated with the file system. Security groups act as a firewall, and the rules you add define the traffic flow. In the Getting Started exercise, you created one security group when you launched the EC2 instance. You then associated another with the EFS mount target (that is, the default security group for your default VPC). That approach works for the Getting Started exercise. However, for a production system, you should set up security groups with minimal permissions for use with EFS.

You can authorize inbound and outbound access to your EFS file system. To do so, you add rules that allow your EC2 instance to connect to your Amazon EFS file system through the mount target using the Network File System (NFS) port. Take the following steps to create and update your security groups.

To create security groups for EC2 instances and mount targets

  1. Create two security groups in your VPC.

    For instructions, see Creating a Security Group in the Amazon VPC User Guide. Follow the steps in the procedure "To create a security group."

  2. In the VPC console, verify the default rules for these security groups. Both security groups should have only an outbound rule that allows traffic to leave.

To update the necessary access for your security groups

  1. For the EC2 security group, add a rule to allow inbound access using Secure Shell (SSH) from any host. Optionally, restrict the Source address.

    You don't need to add an outbound rule, because the default outbound rule allows all traffic to leave. If this were not the case, you'd need to add an outbound rule to open the TCP connection on the NFS port, identifying the mount target security group as the destination.

    For instructions, see Adding and Removing Rules in the Amazon VPC User Guide.

  2. For the mount target security group, add a rule to allow inbound access from the EC2 security group as shown (the EC2 security group is identified as the source).

  3. Verify that both security groups now authorize inbound and outbound access.

For more information about security groups, see Security Groups for EC2-VPC in the Amazon EC2 User Guide for Linux Instances.

Security considerations for mounting an Amazon EFS file system

An NFSv4.1 client can only mount a file system if it can make a network connection to the NFS port of one of the file system's mount targets. Similarly, an NFSv4.1 client can only assert a user and group ID when accessing a file system if it can make this network connection. The ability to make this network connection is governed by a combination of the following:

  • Network isolation provided by the mount targets' VPC – File system mount targets cannot have public IP addresses associated with them. Only Amazon EC2 instances in the Amazon VPC or on-premises servers connected to the Amazon VPC by using AWS Direct Connect can mount Amazon EFS file systems. Other mechanisms for connecting to a VPC's private IP addresses from outside the VPC, such as VPN connections and VPC peering, cannot currently be used to mount Amazon EFS file systems. Don't rely on them for file system access control.

  • Network access control lists (ACLs) of the VPC subnets of the client and mount targets (for access from outside the mount target's subnets) – To mount a file system, the client must be able to make a TCP connection to the NFS port of a mount target and receive return traffic.

  • Rules of the client's and mount targets' VPC security groups (for all access) – For an EC2 instance to mount the file system, the following security group rules must be in effect:

    • The file system must have a mount target whose network interface has a security group with a rule that enables inbound connections on the NFS port from the instance. Inbound connections can be enabled either by IP address (CIDR range) or security group. The source of the security group rules for the inbound NFS port on mount target network interfaces is a key element of file system access control. Inbound rules other than the one for the NFS port, and any outbound rules, are of no use to network interfaces for file system mount targets.

    • The mounting instance must have a network interface with a security group rule that enables outbound connections to the NFS port on one of the file system's mount targets. Outbound connections can be enabled either by IP address (CIDR range) or security group.

For more information, see Creating Mount Targets.

Read, Write, and Execute Permissions for Files and Directories

Example: Alice has permissions to read and write any files she wants in her personal directory on a file system, /alice.  Alice is not allowed to read or write any files in Mark's personal directory on the same file system, /mark.  Both Alice and Mark are allowed to read but not write files in the shared directory /share.

Files and directories in an EFS file system support standard Unix-style read, write, and execute permissions based on the user and group ID asserted by the mounting NFSv4.1 client.  For more information, see Network File System (NFS)–Level Users, Groups, and Permissions.


This layer of access control depends on trusting the NFSv4.1 client in its assertion of the user and group ID. There is no authentication of the identity of the NFSv4.1 client when establishing a mount connection. Thus, any NFSv4.1 client that can make a network connection to the NFS port of a file system's mount target IP address can read and write the file system as the root user ID.