Configuring AWS DataSync transfers with Amazon EFS
To transfer data to or from your Amazon EFS file system, you must create an AWS DataSync transfer location. DataSync can use this location as a source or destination for transferring data.
Accessing Amazon EFS file systems
DataSync mounts your Amazon EFS file system as the root user from your virtual private cloud (VPC) using network interfaces.
When creating your location, you specify the subnet and security groups that DataSync uses to connect to one of your Amazon EFS file system's mount targets or access points using Network File System (NFS) port 2049.
DataSync can also mount Amazon EFS file systems configured for restricted access. For example, you can specify an AWS Identity and Access Management (IAM) role that gives DataSync the necessary level of permission to connect to your file system. For more information, see Using IAM policies to access your Amazon EFS file system.
Considerations with Amazon EFS transfers
Think about the following when transferring to or from an Amazon EFS file system with DataSync:
VPCs that you use with DataSync must have default tenancy. VPCs with dedicated tenancy are not supported. For more information, see Work with VPCs.
-
Your Amazon EFS file system's throughput mode can affect transfer duration and file system performance during the transfer. Consider the following:
-
For best results, we recommend using Elastic throughput mode (which is also the default throughput mode for your file system). If you don't use Elastic throughput mode, your transfer might take longer.
-
If you use Bursting throughput mode, the performance of your file system's applications might be affected because DataSync consumes file system burst credits.
For more information, see Amazon EFS performance in the Amazon Elastic File System User Guide.
-
-
Learn about Amazon EFS pricing
.
Creating your Amazon EFS transfer location
To create the transfer location, you need an existing Amazon EFS file system. If you don't have one, see Getting started with Amazon Elastic File System in the Amazon Elastic File System User Guide.
To create an Amazon EFS location by using the console
Open the AWS DataSync console at https://console.aws.amazon.com/datasync/
. -
In the left navigation pane, expand Data transfer, then choose Locations and Create location.
-
For Location type, choose Amazon EFS file system.
You configure this location as a source or destination later.
-
For File system, choose the Amazon EFS file system that you want to use as a location.
You configure this location as a source or destination later.
-
For Mount path, enter a mount path for your Amazon EFS file system.
This specifies where DataSync reads or writes data (depending on if this is a source or destination location).
By default, DataSync uses the root directory (or access point if you configure one). You can also specify subdirectories using forward slashes (for example,
/path/to/directory
). -
For Subnet choose a subnet where DataSync creates the network interfaces for managing traffic during your transfer.
The subnet must be located:
-
In the same VPC as the Amazon EFS file system.
-
In the same Availability Zone as at least one file system mount target.
Note
You don't need to specify a subnet that includes a file system mount target.
-
-
For Security groups, choose the security groups associated with an Amazon EFS file system's mount target.
Note
The security groups that you specify must allow inbound traffic on NFS port 2049. For more information, see Using VPC security groups for Amazon EC2 instances and mount targets in the Amazon Elastic File System User Guide.
-
For In-transit encryption, choose whether you want DataSync to use Transport Layer Security (TLS) encryption when it copies data to or from your file system.
Note
You must enable this setting if you want to configure an access point, IAM role, or both with your location.
-
(Optional) For EFS access point, choose an access point that DataSync can use to mount your Amazon EFS file system.
-
(Optional) For IAM role, specify a role that allows DataSync to access your file system.
For information on creating this role, see Using IAM policies to access your Amazon EFS file system
-
(Optional) Select Add tag to tag your file system.
A tag is a key-value pair that helps you manage, filter, and search for your locations.
-
Choose Create location.
Using IAM policies to access your Amazon EFS file system
You can configure your Amazon EFS file system with a higher level of security by using IAM policies. In your file system policy, you can specify an IAM role that still allows DataSync to connect with the file system.
Note
To use an IAM role, you must enable TLS for in-transit encryption when creating a DataSync location for your file system.
For more information, see Using IAM to control file system data access in the Amazon Elastic File System User Guide.
Creating an IAM role for DataSync
Create a role with DataSync as the trusted entity.
To create the IAM role
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the left navigation pane, under Access management, choose Roles, and then choose Create role.
-
On the Select trusted entity page, for Trusted entity type, choose Custom trust policy.
-
Paste the following JSON into the policy editor:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "datasync.amazonaws.com" }, "Action": "sts:AssumeRole" }] }
-
Choose Next. On the Add permissions page, choose Next.
-
Give your role a name and choose Create role.
Specify this role when creating the location for your Amazon EFS file system.
Example Amazon EFS file system policy
The following sample IAM policy includes elements that help restrict access
to an Amazon EFS file system (identified in the policy as
fs-
):1234567890abcdef0
-
Principal
: Specifies an IAM role that gives DataSync permission to connect to the file system. -
Action
: Gives DataSync root access and allows it to read from and write to the file system. -
aws:SecureTransport
: Requires NFS clients to use TLS when connecting to the file system. -
elasticfilesystem:AccessPointArn
: Allows access to the file system only through a specific access point.
{ "Version": "2012-10-17", "Id": "ExampleEFSFileSystemPolicy", "Statement": [{ "Sid": "AccessEFSFileSystem", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
111122223333
:role/MyDataSyncRole
" }, "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess" ], "Resource": "arn:aws:elasticfilesystem:us-east-1
:111122223333
:file-system/fs-1234567890abcdef0
", "Condition": { "Bool": { "aws:SecureTransport": "true" }, "StringEquals": { "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:us-east-1
:111122223333
:access-point/fsap-abcdef01234567890
" } } }] }