Amazon Elastic File System
User Guide


Modifies the set of security groups in effect for a mount target.

When you create a mount target, Amazon EFS also creates a new network interface. For more information, see CreateMountTarget. This operation replaces the security groups in effect for the network interface associated with a mount target, with the SecurityGroups provided in the request. This operation requires that the network interface of the mount target has been created and the lifecycle state of the mount target is not deleted.

The operation requires permissions for the following actions:

  • elasticfilesystem:ModifyMountTargetSecurityGroups action on the mount target's file system.

  • ec2:ModifyNetworkInterfaceAttribute action on the mount target's network interface.

Request Syntax

PUT /2015-02-01/mount-targets/MountTargetId/security-groups HTTP/1.1 Content-type: application/json { "SecurityGroups": [ "string" ] }

URI Request Parameters

The request requires the following URI parameters.


The ID of the mount target whose security groups you want to modify.

Request Body

The request accepts the following data in JSON format.


An array of up to five VPC security group IDs.

Type: Array of strings

Array Members: Maximum number of 5 items.

Required: No

Response Syntax

HTTP/1.1 204

Response Elements

If the action is successful, the service sends back an HTTP 204 response with an empty HTTP body.



Returned if the request is malformed or contains an error such as an invalid parameter value or a missing required parameter.

HTTP Status Code: 400


Returned if the mount target is not in the correct state for the operation.

HTTP Status Code: 409


Returned if an error occurred on the server side.

HTTP Status Code: 500


Returned if there is no mount target with the specified ID found in the caller's account.

HTTP Status Code: 404


Returned if the size of SecurityGroups specified in the request is greater than five.

HTTP Status Code: 400


Returned if one of the specified security groups doesn't exist in the subnet's VPC.

HTTP Status Code: 400


Replace a mount target's security groups

The following example replaces security groups in effect for the network interface associated with a mount target.

Sample Request

PUT /2015-02-01/mount-targets/fsmt-9a13661e/security-groups HTTP/1.1 Host: x-amz-date: 20140620T223446Z Authorization: <...> Content-Type: application/json Content-Length: 57 { "SecurityGroups" : [ "sg-188d9f74" ] }

Sample Response

HTTP/1.1 204 No Content x-amzn-RequestId: 088fb0b4-0c1d-4af7-9de1-933207fbdb46

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: