Creating security groups - Amazon Elastic File System

Creating security groups

Both an Amazon EC2 instance and a mount target have associated security groups. These security groups act as a virtual firewall that controls the traffic between them. If you don't provide a security group when creating a mount target, Amazon EFS associates the default security group of the VPC with it.

Regardless, to enable traffic between an EC2 instance and a mount target (and thus the file system), you must configure the following rules in these security groups:

  • The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all EC2 instances on which you want to mount the file system.

  • Each EC2 instance that mounts the file system must have a security group that allows outbound access to the mount target on the NFS port.

To change the security groups associated with your EFS file systems mount targets, see Managing mount targets.

For more information about security groups, see Amazon EC2 security groups for Linux instances in the Amazon EC2 User Guide.


The following section is specific to Amazon EC2 and discusses how to create security groups so that you can use Secure Shell (SSH) to connect to any instances that have mounted Amazon EFS file systems. If you're not using SSH to connect to your Amazon EC2 instances, you can skip this section.

You can use the AWS Management Console to create security groups in your VPC. To connect your Amazon EFS file system to your Amazon EC2 instance, you must create two security groups: one for your Amazon EC2 instance and another for your Amazon EFS mount target.

  1. Create two security groups in your VPC. For instructions, see Create a security group in the Amazon VPC User Guide.

  2. In the VPC console, verify the default rules for these security groups. Both security groups should have only an outbound rule that allows traffic to leave.

  3. You must authorize additional access to the security groups as follows:

    1. Add a rule to the EC2 security group to allow SSH access to the instance on port 22 as shown following. This is useful if you're planning on using an SSH client like PuTTY to connect to and administer your EC2 instance through a terminal interface. Optionally, you can restrict the Source address.

      For instructions, see Add rules to a security group in the Amazon VPC User Guide.

    2. Add a rule to the mount target security group to allow inbound access from the EC2security group on TCP port 2049. The security group assigned as the Source is the security group associated with the EC2 instance.

      To view the security groups associated with your file systems mount targets, in the EFS console, choose the Network tab in the File system details page. For more information, see Managing mount targets.


    You don't need to add an outbound rule because the default outbound rule allows all traffic to leave. (If you remove the default outbound rule, you must add an outbound rule to open a TCP connection on the NFS port, and identify the mount target security group as the destination.)

  4. Verify that both security groups now authorize inbound and outbound access as described in this section.

For an example that shows how to create security groups by using the AWS CLI, see Step 1: Create EC2 resources.