Mounting EFS file systems using the EFS mount helper - Amazon Elastic File System

Mounting EFS file systems using the EFS mount helper

The EFS mount helper is part of the amazon-efs-utils package. The amazon-efs-utils package is an open-source collection of Amazon EFS tools. For more information, see Manually installing the Amazon EFS client. The EFS mount helper helps you mount your EFS file systems on your EC2 Linux and Mac instances running the supported distributions listed in About the Amazon EFS client.


Amazon EFS does not support mounting from Amazon EC2 Windows instances.

Alternatively, you can mount your EFS file systems using the standard Linux NFS client. For more information, see Using Network File System to mount EFS file systems.

How the EFS mount helper works

The mount helper defines a new network file system type, called efs, which is fully compatible with the standard mount command in Linux. The mount helper also supports mounting an Amazon EFS file system at instance boot time automatically by using entries in the /etc/fstab configuration file on EC2 Linux instances.


Use the _netdev option, used to identify network file systems, when mounting your file system automatically. If _netdev is missing, your EC2 instance might stop responding. This result is because network file systems need to be initialized after the compute instance starts its networking. For more information, see Automatic mounting fails and the instance is unresponsive.

You can mount a file system by specifying one of the following properties:

  • File system DNS name – If you use the file system DNS name, and the mount helper cannot resolve it, for example when you are mounting a file system in a different VPC, it will fall back to using the mount target IP address. For more information, see Mounting EFS file systems from another AWS account or VPC.

  • File system ID – If you use the file system ID, the mount helper resolves it to the local IP address of the mount target elastic network interface (ENI) without calling external resources.

  • Mount target IP address – You can use the IP address of one of the file systems mount targets.

You can find the value for all of these properties in the Amazon EFS console. The file system DNS name is found in the Attach screen.

When encryption of data in transit is declared as a mount option for your Amazon EFS file system, the mount helper initializes a client stunnel process, and a supervisor process called amazon-efs-mount-watchdog. The amazon-efs-mount-watchdog process monitors the health of TLS mounts, and is started automatically the first time an EFS file system is mounted over TLS. If your client is running on Linux, this process is managed by either upstart or systemd depending on your Linux distribution. For clients running on a supported macOS, it is managed by launchd.

Stunnel is an open-source multipurpose network relay. The client stunnel process listens on a local port for inbound traffic, and the mount helper redirects NFS client traffic to this local port.

The mount helper uses TLS version 1.2 to communicate with your file system. Using TLS requires certificates, and these certificates are signed by a trusted Amazon Certificate Authority. For more information on how encryption works, see Encrypting data in Amazon EFS.

Mount settings used by EFS mount helper

The Amazon EFS mount helper client uses the following mount options that are optimized for Amazon EFS:

  • nfsvers=4.1 – used when mounting on EC2 Linux instances

    nfsvers=4.0 – used when mounting on supported EC2 Mac instances running macOS Big Sur, Monterey, and Ventura

  • rsize=1048576 – Sets the maximum number of bytes of data that the NFS client can receive for each network READ request to 1048576, the largest available, to avoid diminished performance.

  • wsize=1048576 – Sets the maximum number of bytes of data that the NFS client can send for each network WRITE request to 1048576, the largest available, to avoid diminished performance.

  • hard – Sets the recovery behavior of the NFS client after an NFS request times out, so that NFS requests are retried indefinitely until the server replies, to ensure data integrity.

  • timeo=600 – Sets the timeout value that the NFS client uses to wait for a response before it retries an NFS request to 600 deciseconds (60 seconds) to avoid diminished performance.

  • retrans=2 – Sets to 2 the number of times the NFS client retries a request before it attempts further recovery action.

  • noresvport – Tells the NFS client to use a new non-privileged Transmission Control Protocol (TCP) source port when a network connection is reestablished. Using the noresvport option helps to ensure that your EFS file system has uninterrupted availability after a reconnection or network recovery event.

  • mountport=2049 – only used when mounting on EC2 Mac instances running macOS Big Sur, Monterey, and Ventura.