Get started with Amazon EFS access points

Photo by Andrew Neel on Unsplash

Get started with Amazon EFS access points

Amazon EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets. Access points can enforce a user identity, including the user's POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories. For more information on creating an access point, see Creating and deleting access points.

Here's a breakdown of what they are and how they work:

  1. User and Application File System Entry: Access Points are application-specific entry points into an EFS file system that make it easier to manage file system access for different users and applications.

  2. Fine-grained Access Control: By configuring Access Points, you can implement a least privilege access model where you precisely tailor permissions for different applications or users, limiting them to a specific directory within your file system.

  3. Root Directory Specification: Each Access Point can be associated with a specific directory in your EFS file system. You can either use an existing directory or have EFS automatically create a new directory upon first access.

  4. Operating System User and Group: When you create an Access Point, you can specify the POSIX user and group, which overrides the identity that the file system request is coming from. This means that applications accessing the file system through the Access Point will have the file system permissions of the specified user and group.

  5. Simplified Management and Segregation: Access Points can segregate the data access for different applications or users, which simplifies the process of managing data for multi-application access or multi-tenant environments.

  6. Integration with AWS Identity and Access Management (IAM): You can combine Access Points with IAM policies to enforce user-specific permissions model, ensuring that users only access the file system through the Access Points they are allowed to use.

  7. Use Cases: Some typical use cases for Access Points include providing applications with access to a specific directory, creating a writable directory for a Lambda function without affecting the rest of the EFS file system, and implementing a multi-user environment where each user has access to their own directory within the EFS.

EFS Access Points help in organizing and managing access to shared datasets on EFS file systems, especially in environments where multiple users or applications need different levels of access.

Tutorial: Create an Amazon EFS Access Point

Step 1: Set up an AWS Account

Make sure you have an AWS account. If you do not have one, you can sign up for an AWS account on the Amazon Web Services website.

Step 2: Create an EFS File System

  1. Log in to the AWS Management Console and open the Amazon EFS console.

  2. Choose Create file system.

  3. Follow the prompts to configure your file system settings, such as VPC and availability zones. Leave the default settings if you are unsure.

  4. Review and create the file system.

Step 3: Create an EFS Access Point

  1. In the EFS Console, select the file system you created.

  2. Go to the Access Points section and click Create Access Point.

  3. Fill out the details:

    • Name: Give your access point a name.

    • Root directory path: Specify the path where the access point will point to in your EFS file system.

    • POSIX user: Set the user ID and group ID that will be applied to all file system requests made through the access point.

    • Root directory creation permissions: Set the permissions and owner for the root directory if it doesn't exist.

💡
POSIX user refers to the user identity and permissions used in POSIX (Portable Operating System Interface) compliant systems, such as Unix, Linux, and Unix-like operating systems. It includes the following attributes: User ID (UID), Group ID (GID), and Permissions (R, W, X). In the context of file systems like Amazon EFS, POSIX user settings determine the file access permissions when interacting with the file system through an access point or directly.
  1. Optionally, set the Access Point Tags if needed for organizational purposes.

  2. Click Create Access Point.

Step 4: Configure IAM Policy

  1. Open the IAM Console.

  2. Create a new IAM policy that grants permission to use the access point. Use the AmazonElasticFileSystemClientReadWriteAccess managed policy as a template.

  3. Attach the policy to the IAM role or user that will be using the access point.

Step 5: Mount the File System via the Access Point

💡
To create EC2 instances use the following guide: How to launch a single EC2 instance via AWS CLI
  1. Launch an EC2 instance or use an existing one where you want to mount the EFS file system.

  2. Ensure that the EC2 instance is in the same VPC as your EFS file system and has the necessary security group settings to allow NFS traffic.

    💡
    Configuration of the required security group can be found here: Get started with Amazon Elastic File System
  3. Install the Amazon EFS client if it's not already installed.

     sudo yum install -y amazon-efs-utils
    
  4. Use the mount command to mount the file system using the access point.

     sudo mount -t efs -o tls,accesspoint=<ACCESS_POINT_ID> <FILE_SYSTEM_ID> /mnt/efs
    

    Replace <ACCESS_POINT_ID> with your actual access point ID and <FILE_SYSTEM_ID> with your EFS file system ID.

Step 6: Test the Access Point

  1. Once mounted, change to the directory where you mounted the EFS.

     cd /mnt/efs
    
  2. Try creating a file or directory to make sure the permissions and user/group ownership are as expected.

     touch testfile
     mkdir testdir
    
  3. List the files and use ls -l to view the ownership and permissions.

Step 7: Clean Up

After testing, you may want to clean up to avoid incurring unnecessary charges:

  1. Unmount the file system on your EC2 instance.

     sudo umount /mnt/efs
    
  2. Delete the access point from the EFS console.

  3. If you created the file system just for this test, delete the file system as well.

  4. Terminate any EC2 instances you no longer need.

Remember to replace placeholders with the actual IDs and paths relevant to your AWS setup. Also, keep in mind that AWS services are region-specific, so ensure that all resources are in the same region.

References

  1. Working with Amazon EFS access points

  2. Creating and deleting access points

  3. AmazonElasticFileSystemClientReadWriteAccess

  4. Amazon Elastic File System introduces EFS Access Points

  5. Unleashing the Power of AWS EFS with Access Points: What You Need to Know

  6. EFS mount point vs access point