Using IAM to control file system data access - Amazon Elastic File System

Using IAM to control file system data access

You can use both IAM identity policies and resource policies to control client access to Amazon EFS resources in a way that is scalable and optimized for cloud environments. Using IAM, you can permit clients to perform specific actions on a file system, including read-only, write, and root access. An "allow" permission on an action in either an IAM identity policy or a file system resource policy allows access for that action. The permission does not need to be granted in both an identity and a resource policy.

NFS clients can identify themselves using an IAM role when connecting to an EFS file system. When a client connects to a file system, Amazon EFS evaluates the file system’s IAM resource policy, which is called a file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant.

When you use IAM authorization for NFS clients, client connections and IAM authorization decisions are logged to AWS CloudTrail. For more information about how to log Amazon EFS API calls with CloudTrail, see Logging Amazon EFS API calls with AWS CloudTrail.


You must use the EFS mount helper to mount your Amazon EFS file systems in order to use IAM authorization to control client access. For more information, see Mounting with IAM authorization.

Default EFS file system policy

The default EFS file system policy does not use IAM to authenticate, and grants full access to any anonymous client that can connect to the file system using a mount target. The default policy is in effect whenever a user-configured file system policy is not in effect, including at file system creation. Whenever the default file system policy is in effect, a DescribeFileSystemPolicy API operation returns a PolicyNotFound response.

EFS actions for clients

You can specify the following actions for clients accessing a file system using a file system policy.

Action Description


Provides read-only access to a file system.


Provides write permissions on a file system.


Provides use of the root user when accessing a file system.

EFS condition keys for clients

To express conditions, you use predefined condition keys. Amazon EFS has the following predefined condition keys for NFS clients. Any other condition keys are not enforced when using IAM controls to secure access to EFS file systems.

EFS Condition Key Description Operator

Use this key to require clients to use TLS when connecting to an EFS file system.


aws:SourceIp Private IP address of the client accessing an EFS file system. String
elasticfilesystem:AccessPointArn ARN of the EFS access point to which the client is connecting. String
elasticfilesystem:AccessedViaMountTarget Use this key to prevent access to an EFS file system by clients that are not using file system mount targets.


File system policy examples

To view examples of Amazon EFS file system policies, see Resource-based policy examples for Amazon Elastic File System.