Security - AWS Storage Services Overview


There are three levels of access control to consider when planning your EFS file system security: IAM permissions for API calls; security groups for EC2 instances and mount targets; and Network File System-level users, groups, and permissions.

IAM enables access control for administering EFS file systems, allowing you to specify an IAM identity (either an IAM user or IAM role) so you can create, delete, and describe EFS file system resources. The primary resource in Amazon EFS is a file system. All other EFS resources, such as mount targets and tags, are referred to as subresources. Identity-based policies, like IAM policies, are used to assign permissions to IAM identities to manage the EFS resources and subresources. Security groups play a critical role in establishing network connectivity between EC2 instances and EFS file systems. You associate one security group with an EC2 instance and another security group with an EFS mount target associated with the file system. These security groups act as firewalls and enforce rules that define the traffic flow between EC2 instances and EFS file systems.

EFS file system objects work in a Unix-style mode, which defines permissions needed to perform actions on objects. Users and groups are mapped to numeric identifiers, which are mapped to EFS users to represent file ownership. Files and directories within Amazon EFS are owned by a single owner and a single group. Amazon EFS uses these numeric IDs to check permissions when a user attempts to access a file system object.

For more information about Amazon EFS security, see the Amazon EFS User Guide.