Amazon EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets. Access points can enforce a user identity, including the user's POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories. For more information on creating an access point, see Creating and deleting access points.
Here's a breakdown of what they are and how they work:
User and Application File System Entry: Access Points are application-specific entry points into an EFS file system that make it easier to manage file system access for different users and applications.
Fine-grained Access Control: By configuring Access Points, you can implement a least privilege access model where you precisely tailor permissions for different applications or users, limiting them to a specific directory within your file system.
Root Directory Specification: Each Access Point can be associated with a specific directory in your EFS file system. You can either use an existing directory or have EFS automatically create a new directory upon first access.
Operating System User and Group: When you create an Access Point, you can specify the POSIX user and group, which overrides the identity that the file system request is coming from. This means that applications accessing the file system through the Access Point will have the file system permissions of the specified user and group.
Simplified Management and Segregation: Access Points can segregate the data access for different applications or users, which simplifies the process of managing data for multi-application access or multi-tenant environments.
Integration with AWS Identity and Access Management (IAM): You can combine Access Points with IAM policies to enforce user-specific permissions model, ensuring that users only access the file system through the Access Points they are allowed to use.
Use Cases: Some typical use cases for Access Points include providing applications with access to a specific directory, creating a writable directory for a Lambda function without affecting the rest of the EFS file system, and implementing a multi-user environment where each user has access to their own directory within the EFS.
EFS Access Points help in organizing and managing access to shared datasets on EFS file systems, especially in environments where multiple users or applications need different levels of access.
Tutorial: Create an Amazon EFS Access Point
Step 1: Set up an AWS Account
Make sure you have an AWS account. If you do not have one, you can sign up for an AWS account on the Amazon Web Services website.
Step 2: Create an EFS File System
Log in to the AWS Management Console and open the Amazon EFS console.
Choose Create file system.
Follow the prompts to configure your file system settings, such as VPC and availability zones. Leave the default settings if you are unsure.
Review and create the file system.
Step 3: Create an EFS Access Point
In the EFS Console, select the file system you created.
Go to the Access Points section and click Create Access Point.
Fill out the details:
Name: Give your access point a name.
Root directory path: Specify the path where the access point will point to in your EFS file system.
POSIX user: Set the user ID and group ID that will be applied to all file system requests made through the access point.
Root directory creation permissions: Set the permissions and owner for the root directory if it doesn't exist.
Optionally, set the Access Point Tags if needed for organizational purposes.
Click Create Access Point.
Step 4: Configure IAM Policy
Open the IAM Console.
Create a new IAM policy that grants permission to use the access point. Use the
AmazonElasticFileSystemClientReadWriteAccess
managed policy as a template.Attach the policy to the IAM role or user that will be using the access point.
Step 5: Mount the File System via the Access Point
Launch an EC2 instance or use an existing one where you want to mount the EFS file system.
Ensure that the EC2 instance is in the same VPC as your EFS file system and has the necessary security group settings to allow NFS traffic.
💡Configuration of the required security group can be found here: Get started with Amazon Elastic File SystemInstall the Amazon EFS client if it's not already installed.
sudo yum install -y amazon-efs-utils
Use the
mount
command to mount the file system using the access point.sudo mount -t efs -o tls,accesspoint=<ACCESS_POINT_ID> <FILE_SYSTEM_ID> /mnt/efs
Replace
<ACCESS_POINT_ID>
with your actual access point ID and<FILE_SYSTEM_ID>
with your EFS file system ID.
Step 6: Test the Access Point
Once mounted, change to the directory where you mounted the EFS.
cd /mnt/efs
Try creating a file or directory to make sure the permissions and user/group ownership are as expected.
touch testfile mkdir testdir
List the files and use
ls -l
to view the ownership and permissions.
Step 7: Clean Up
After testing, you may want to clean up to avoid incurring unnecessary charges:
Unmount the file system on your EC2 instance.
sudo umount /mnt/efs
Delete the access point from the EFS console.
If you created the file system just for this test, delete the file system as well.
Terminate any EC2 instances you no longer need.
Remember to replace placeholders with the actual IDs and paths relevant to your AWS setup. Also, keep in mind that AWS services are region-specific, so ensure that all resources are in the same region.