Using an Amazon EFS file system in another AWS account for a Lambda function

You can configure a function to mount an Amazon EFS file system in another AWS account. Before you mount the file system, you must ensure the following:

VPC peering must be configured, and appropriate routes must be added to the route tables in each VPC.
The security group for the Amazon EFS file system you want to mount must be configured to allow inbound access from the security group associated with your Lambda function.
Subnets must be created in each VPC with matching Availability Zone (AZ) IDs.
DNS Hostnames must be enabled in both VPCs.

For your Lambda function to access an Amazon EFS file system in another AWS account, that file system must also have a file system policy that grants permission to your funtion. To learn how to create a file system policy, see Creating file system policies in the Amazon Elastic File System User Guide.

The following shows an example policy that gives Lambda functions in a specified account permission to perform all API actions on a file system.


{
    "Version": "2012-10-17",
    "Id": "efs-lambda-policy",
    "Statement": [
        {
            "Sid": "efs-lambda-statement",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{LAMBDA-ACCOUNT-ID}:root"
            },
            "Action": "*",
            "Resource": "arn:aws:elasticfilesystem:{REGION}:{ACCOUNT-ID}:file-system/{FILE SYSTEM ID}"
        }
    ]
}

Note

The example policy shown uses the wildcard charcter ("*") to grant permissions for Lambda functions in the specified AWS account to perform any API operation on the filesystem. This includes deleting the filesystem. To limit the operations that other AWS accounts can perform on your filesystem, specify the actions you want to allow explicitly. For a list of possible API operations, see Actions, resources, and condition keys for Amazon Elastic File System.

To configure cross-account file system mounting, you use the AWS Command Line Interface (AWS CLI) update-function-configuration operation.

To mount a file system in another AWS account, run the following command. Use your own function name and replace the Amazon Resource Name (ARN) with the ARN of the Amazon EFS access point for the file system you want to mount. LocalMountPath is the path where the function can access the file system, starting with /mnt/. Ensure that the Lambda mount path matches the access point path for the filesystem. For example, if the access point is /efs, the Lambda mount path must be /mnt/efs.


aws lambda update-function-configuration --function-name MyFunction \
--file-system-configs Arn=arn:aws:elasticfilesystem:us-east-1:222222222222:access-point/fsap-01234567,LocalMountPath=/mnt/test

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

File system

Aliases