interface CfnFileSystemProps
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.S3Files.CfnFileSystemProps |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awss3files#CfnFileSystemProps |
 Java | software.amazon.awscdk.services.s3files.CfnFileSystemProps |
 Python | aws_cdk.aws_s3files.CfnFileSystemProps |
 TypeScript | aws-cdk-lib » aws_s3files » CfnFileSystemProps |
Properties for defining a CfnFileSystem.
See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3files-filesystem.html
Example
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as s3files from 'aws-cdk-lib/aws-s3files';
const vpc = new ec2.Vpc(this, 'Vpc');
// Versioning is required — S3 Files relies on object versions for consistency.
const bucket = new s3.Bucket(this, 'Bucket', { versioned: true });
// S3 Files assumes this role to sync data between S3 and the file system.
const role = new iam.Role(this, 'S3FilesRole', {
assumedBy: new iam.ServicePrincipal('elasticfilesystem.amazonaws.com'),
});
// S3 permissions: read/write access to the bucket and objects
role.addToPolicy(new iam.PolicyStatement({
actions: ['s3:ListBucket*'],
resources: [bucket.bucketArn],
}));
role.addToPolicy(new iam.PolicyStatement({
actions: ['s3:AbortMultipartUpload', 's3:DeleteObject', 's3:GetObject*', 's3:List*', 's3:PutObject*'],
resources: [bucket.arnForObjects('*')],
}));
// EventBridge permissions: S3 Files creates rules prefixed "DO-NOT-DELETE-S3-Files"
// to detect S3 object changes and trigger data synchronization.
role.addToPolicy(new iam.PolicyStatement({
actions: [
'events:DeleteRule', 'events:DisableRule', 'events:EnableRule',
'events:PutRule', 'events:PutTargets', 'events:RemoveTargets',
],
resources: [`arn:${cdk.Aws.PARTITION}:events:*:*:rule/DO-NOT-DELETE-S3-Files*`],
conditions: { StringEquals: { 'events:ManagedBy': 'elasticfilesystem.amazonaws.com' } },
}));
role.addToPolicy(new iam.PolicyStatement({
actions: ['events:DescribeRule', 'events:ListRuleNamesByTarget', 'events:ListRules', 'events:ListTargetsByRule'],
resources: [`arn:${cdk.Aws.PARTITION}:events:*:*:rule/*`],
}));
const fileSystem = new s3files.CfnFileSystem(this, 'S3FilesFs', {
bucket: bucket.bucketArn,
roleArn: role.roleArn,
});
const sg = new ec2.SecurityGroup(this, 'MountTargetSG', { vpc });
// Create a mount target in each private subnet so Lambda can reach the file system via NFS.
vpc.privateSubnets.forEach((subnet, i) =>
new s3files.CfnMountTarget(this, `MountTarget${i}`, {
fileSystemId: fileSystem.attrFileSystemId,
subnetId: subnet.subnetId,
securityGroups: [sg.securityGroupId],
}),
);
// The access point defines the POSIX identity and root path Lambda uses on the file system.
const accessPoint = new s3files.CfnAccessPoint(this, 'AccessPoint', {
fileSystemId: fileSystem.attrFileSystemId,
rootDirectory: {
path: '/export/lambda',
creationPermissions: { ownerGid: '1001', ownerUid: '1001', permissions: '750' },
},
posixUser: { gid: '1001', uid: '1001' },
});
const fn = new lambda.Function(this, 'MyFunction', {
runtime: lambda.Runtime.NODEJS_LATEST,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
vpc,
filesystem: lambda.FileSystem.fromS3FilesAccessPoint(accessPoint, '/mnt/s3files'),
});
Properties
| Name | Type | Description |
|---|---|---|
| bucket | string | |
| role | string | |
| accept | boolean | IResolvable | |
| client | string | |
| kms | string | |
| prefix? | string | |
| synchronization | IResolvable | Synchronization | |
| tags? | Cfn[] |
bucket
Type:
string
roleArn
Type:
string
acceptBucketWarning?
Type:
boolean | IResolvable
(optional)
clientToken?
Type:
string
(optional)
kmsKeyId?
Type:
string
(optional)
prefix?
Type:
string
(optional)
synchronizationConfiguration?
Type:
IResolvable | Synchronization
(optional)
tags?
Type:
Cfn[]
(optional)