AWS::EFS::FileSystem - AWS CloudFormation


The AWS::EFS::FileSystem resource creates a new, empty file system in Amazon Elastic File System (Amazon EFS). You must create a mount target (AWS::EFS::MountTarget) to mount your EFS file system on an Amazon Elastic Compute Cloud (Amazon EC2) instance or another compute resource.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::EFS::FileSystem", "Properties" : { "BackupPolicy" : BackupPolicy, "Encrypted" : Boolean, "FileSystemPolicy" : Json, "FileSystemTags" : [ ElasticFileSystemTag, ... ], "KmsKeyId" : String, "LifecyclePolicies" : [ LifecyclePolicy, ... ], "PerformanceMode" : String, "ProvisionedThroughputInMibps" : Double, "ThroughputMode" : String } }



Use the BackupPolicy to turn automatic backups on or off for the file system.

Required: No

Type: BackupPolicy

Update requires: No interruption


A Boolean value that, if true, creates an encrypted file system. When creating an encrypted file system, you have the option of specifying a KmsKeyId for an existing AWS Key Management Service (AWS KMS) customer master key (CMK). If you don't specify a CMK, then the default CMK for Amazon EFS, /aws/elasticfilesystem, is used to protect the encrypted file system.

Required: Conditional

Type: Boolean

Update requires: Replacement


The FileSystemPolicy for the EFS file system. A file system policy is an IAM resource policy used to control NFS access to an EFS file system. For more information, see Using IAM to Control NFS Access to Amazon EFS in the Amazon EFS User Guide.

Required: No

Type: Json

Update requires: No interruption


A value that specifies to create one or more tags associated with the file system. Each tag is a user-defined key-value pair. Name your file system on creation by including a "Key":"Name","Value":"{value}" key-value pair.

Required: No

Type: List of ElasticFileSystemTag

Update requires: No interruption


The ID of the AWS KMS customer master key (CMK) to be used to protect the encrypted file system. This parameter is only required if you want to use a nondefault CMK. If this parameter is not specified, the default CMK for Amazon EFS is used. This ID can be in one of the following formats:

  • Key ID - A unique identifier of the key, for example 1234abcd-12ab-34cd-56ef-1234567890ab.

  • ARN - An Amazon Resource Name (ARN) for the key, for example arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  • Key alias - A previously created display name for a key, for example alias/projectKey1.

  • Key alias ARN - An ARN for a key alias, for example arn:aws:kms:us-west-2:444455556666:alias/projectKey1.

If KmsKeyId is specified, the Encrypted parameter must be set to true.

Required: No

Type: String

Maximum: 2048

Pattern: ^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|alias/[a-zA-Z0-9/_-]+|(arn:aws[-a-z]*:kms:[a-z0-9-]+:\d{12}:((key/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})|(alias/[a-zA-Z0-9/_-]+))))$

Update requires: Replacement


A list of policies used by EFS lifecycle management to transition files to the Infrequent Access (IA) storage class.

Required: No

Type: List of LifecyclePolicy

Update requires: No interruption


The performance mode of the file system. We recommend generalPurpose performance mode for most file systems. File systems using the maxIO performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.

Required: No

Type: String

Allowed values: generalPurpose | maxIO

Update requires: Replacement


The throughput, measured in MiB/s, that you want to provision for a file system that you're creating. Valid values are 1-1024. Required if ThroughputMode is set to provisioned. The upper limit for throughput is 1024 MiB/s. You can get this limit increased by contacting AWS Support. For more information, see Amazon EFS Limits That You Can Increase in the Amazon EFS User Guide.

Required: Conditional

Type: Double

Update requires: No interruption


The throughput mode for the file system to be created. There are two throughput modes to choose from for your file system: bursting and provisioned. If you set ThroughputMode to provisioned, you must also set a value for ProvisionedThroughPutInMibps. You can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes as long as it’s been more than 24 hours since the last decrease or throughput mode change. For more, see Specifying Throughput with Provisioned Mode in the Amazon EFS User Guide.

Required: No

Type: String

Allowed values: bursting | provisioned

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID. For example:


For the Amazon EFS file system fs-12345678, Ref returns the file system ID.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


Not currently supported by AWS CloudFormation.


The ID of the EFS file system. For example: fs-0123456


Create an Encrypted File System

The following example declares an encrypted Amazon EFS file system.


"{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MountTargetVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "" } }, "MountTargetSubnetOne": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "", "VpcId": { "Ref": "MountTargetVPC" }, "AvailabilityZone": "us-east-1a" } }, "MountTargetSubnetTwo": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "", "VpcId": { "Ref": "MountTargetVPC" }, "AvailabilityZone": "us-east-1a" } }, "MountTargetSubnetThree": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "", "VpcId": { "Ref": "MountTargetVPC" }, "AvailabilityZone": "us-east-1a" } }, "FileSystemResource": { "Type": "AWS::EFS::FileSystem", "Properties": { "PerformanceMode": "maxIO", "LifecyclePolicies":[ { "TransitionToIA" : "AFTER_30_DAYS" } ], "Encrypted": true, "FileSystemTags": [ { "Key": "Name", "Value": "TestFileSystem" } ], "FileSystemPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount" ], "Principal": {"AWS": "arn:aws:iam::111122223333:root"} } ] }, "BackupPolicy": { "Status": "ENABLED" }, "KmsKeyId": { "Fn::GetAtt": [ "key", "Arn" ] } } }, "key": { "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Action": [ "kms:*" ], "Resource": "*", "AWS": "*" } ] } } }, "MountTargetResource1": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": { "Ref": "FileSystemResource" }, "SubnetId": { "Ref": "MountTargetSubnetOne" }, "SecurityGroups": [ { "Fn::GetAtt": [ "MountTargetVPC", "DefaultSecurityGroup" ] } ] } }, "MountTargetResource2": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": { "Ref": "FileSystemResource" }, "SubnetId": { "Ref": "MountTargetSubnetTwo" }, "SecurityGroups": [ { "Fn::GetAtt": [ "MountTargetVPC", "DefaultSecurityGroup" ] } ] } }, "MountTargetResource3": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": { "Ref": "FileSystemResource" }, "SubnetId": { "Ref": "MountTargetSubnetThree" }, "SecurityGroups": [ { "Fn::GetAtt": [ "MountTargetVPC", "DefaultSecurityGroup" ] } ] } }, "AccessPointResource": { "Type": "AWS::EFS::AccessPoint", "Properties": { "FileSystemId": { "Ref": "FileSystemResource" }, "PosixUser": { "Uid": "13234", "Gid": "1322", "SecondaryGids": [ "1344", "1452" ] }, "RootDirectory": { "CreationInfo": { "OwnerGid": "708798", "OwnerUid": "7987987", "Permissions": "0755" }, "Path": "/testcfn/abc" } } } } }


AWSTemplateFormatVersion: 2010-09-09 Resources: MountTargetVPC: Type: AWS::EC2::VPC Properties: CidrBlock: MountTargetSubnetOne: Type: AWS::EC2::Subnet Properties: CidrBlock: VpcId: !Ref MountTargetVPC AvailabilityZone: "us-east-1a" MountTargetSubnetTwo: Type: AWS::EC2::Subnet Properties: CidrBlock: VpcId: !Ref MountTargetVPC AvailabilityZone: "us-east-1a" MountTargetSubnetThree: Type: AWS::EC2::Subnet Properties: CidrBlock: VpcId: !Ref MountTargetVPC AvailabilityZone: "us-east-1a" FileSystemResource: Type: 'AWS::EFS::FileSystem' Properties: BackupPolicy: Status: ENABLED PerformanceMode: maxIO Encrypted: true LifecyclePolicies: - TransitionToIA: AFTER_30_DAYS FileSystemTags: - Key: Name Value: TestFileSystem FileSystemPolicy: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "elasticfilesystem:ClientMount" Principal:'arn:aws:iam::111122223333:root' KmsKeyId: !GetAtt - key - Arn key: Type: AWS::KMS::Key Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Allow administration of the key Effect: Allow Principal: AWS: !Join - '' - - 'arn:aws:iam::' - !Ref 'AWS::AccountId' - ':root' Action: - 'kms:*' Resource: '*' AWS: "*" MountTargetResource1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref FileSystemResource SubnetId: !Ref MountTargetSubnetOne SecurityGroups: - !GetAtt MountTargetVPC.DefaultSecurityGroup MountTargetResource2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref FileSystemResource SubnetId: !Ref MountTargetSubnetTwo SecurityGroups: - !GetAtt MountTargetVPC.DefaultSecurityGroup MountTargetResource3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref FileSystemResource SubnetId: !Ref MountTargetSubnetThree SecurityGroups: - !GetAtt MountTargetVPC.DefaultSecurityGroup AccessPointResource: Type: 'AWS::EFS::AccessPoint' Properties: FileSystemId: !Ref FileSystemResource PosixUser: Uid: "13234" Gid: "1322" SecondaryGids: - "1344" - "1452" RootDirectory: CreationInfo: OwnerGid: "708798" OwnerUid: "7987987" Permissions: "0755" Path: "/testcfn/abc"

See also