# Creating and managing EFS resources
Amazon EFS provides elastic, shared file storage. The file system that you create supports concurrent read and write access from multiple Amazon EC2 instances. The file system is also accessible from all of the Availability Zones in the AWS Region where it is created.
You can mount an Amazon EFS file system on EC2 instances in your virtual private cloud (VPC) based on Amazon VPC by using the Network File System versions 4.0 and 4.1 protocol (NFSv4). For more information, see [How Amazon EFS works](how-it-works.md).
As an example, suppose that you have one or more EC2 instances launched in your VPC. Now you want to create and use a file system on these instances. Following are the typical steps that you must perform to use Amazon EFS file systems in the VPC:
+ **Create an Amazon EFS file system** – When creating a file system, we recommend using the **Name** tag. The **Name** tag value appears in the console and makes it easier to identify the file system. You can also add other optional tags to the file system.
+ **Create mount targets for the file system** – To access the file system in your VPC and mount the file system to your Amazon EC2 instance, you must create mount targets in the VPC subnets.
+ **Create security groups** – Both an Amazon EC2 instance and a mount target must have associated security groups. These security groups act as a virtual firewall that controls the traffic between them. You can use the security group that you associated with the mount target to control inbound traffic to your file system. To do this, add an inbound rule to the mount target security group that allows access from a specific EC2 instance. Then, you can mount the file system only on that EC2 instance.
**Topics**
+ [Implementation summary](how-it-works-implementation.md)
+ [Resource IDs](#resource-ids)
+ [Creation token and idempotency](#creation-token)
+ [Creating EFS file systems](creating-using-create-fs.md)
+ [Deleting EFS file systems](delete-efs-fs.md)
+ [Creating file system policies](create-file-system-policy.md)
+ [Creating access points](create-access-point.md)
+ [Deleting access points](delete-access-point.md)
+ [Tagging EFS resources](manage-fs-tags.md)
+ [Tutorial: Creating writable per-user subdirectories](accessing-fs-nfs-permissions-per-user-subdirs.md)
# Implementation summary
In Amazon EFS, a file system is the primary resource. Each file system has properties such as ID, creation token, creation time, file system size in bytes, number of mount targets created for the file system, and the file system lifecycle policies.
Amazon EFS also supports other resources to configure the primary resource. These include mount targets and access points:
+ **Mount target** – To access your file system, you must create mount targets in your VPC. Each mount target has the following properties: the mount target ID, the subnet ID in which it is created, the file system ID for which it is created, an IP address at which the file system may be mounted, VPC security groups, and the mount target state. You can use the IP address or the DNS name in your `mount` command.
Each file system has a DNS name of the following form.
```
file-system-id.efs.aws-region.amazonaws.com
```
You can specify this DNS name in your `mount` command to mount the Amazon EFS file system. Suppose you create an `efs-mount-point` subdirectory off of your home directory on your EC2 instance or on-premises server. Then, you can use the mount command to mount the file system. For example, on an Amazon Linux AMI, you can use the following `mount` command.
```
$ sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport file-system-DNS-name:/ ~/efs-mount-point
```
For more information, see [Managing mount targets](accessing-fs.md).
+ **Access Points** – An access point applies an operating system user, group, and file system path to any file system request made using the access point. The access point's operating system user and group override any identity information provided by the NFS client. The file system path is exposed to the client as the access point's root directory. This ensures that each application always uses the correct operating system identity and the correct directory when accessing shared file-based datasets. Applications using the access point can only access data in its own directory and below. For more information, see [Working with access points](efs-access-points.md).
Mount targets and tags are *subresources* that are associated with a file system. You can only create them within the context of an existing file system.
Amazon EFS provides API operations for you to create and manage these resources. In addition to the create and delete operations for each resource, Amazon EFS supports a describe operation that enables you to retrieve resource information. You have the following options for creating and managing these resources:
+ Use the Amazon EFS console – For an example, see [Getting started](getting-started.md).
+ Use the Amazon EFS command line interface (CLI) – For an example, see [Tutorial: Create an EFS file system and mount it on an EC2 instance using the AWS CLI](wt1-getting-started.md).
+ You can also manage these resources programmatically as follows:
+ Use the AWS SDKs – The AWS SDKs simplify your programming tasks by wrapping the underlying Amazon EFS API. The SDK clients also authenticate your requests by using access keys that you provide. For more information, see [Sample Code and Libraries](https://aws.amazon.com/code).
+ Call the Amazon EFS API directly from your application – If you cannot use the SDKs for some reason, you can make the Amazon EFS API calls directly from your application. However, you need to write the necessary code to authenticate your requests if you use this option. For more information about the Amazon EFS API, see [Amazon EFS API](api-reference.md).
## Resource IDs
Amazon EFS assigns unique resource identifiers (IDs) to all EFS resources when they are created. All EFS resource IDs consist of a resource identifier and a combination of digits 0–9 and lowercase letters a–f.
Before October 2021, the IDs assigned to newly created file system and mount target resources used 8 characters after the hyphen (for example, `fs-12345678`). From May 2021 to October 2021, we changed the IDs of these resource types to use 17 characters after the hyphen (for example, `fs-1234567890abcdef0`). Depending on when your account was created, you might have file system and mount target resources with short IDs, though any new resources of these types receive the longer IDs. The Resource ID never changes.
## Creation token and idempotency
*Idempotency* ensures that an API request completes only once. With idempotent requests, if the original request completes successfully, subsequent requests have no additional effect. This is useful to prevent duplicate jobs from being created when you interact with the Amazon EFS API.
The Amazon EFS API supports idempotency with client request tokens. A *client request token* is a unique string that you specify when you make a create job request.
A client request token can be any string that includes up to 64 ASCII characters. If you reuse a client request token within one minute of a successful request, the API returns the job details of the original request.
If you use the console, it generates the token for you. If you use the **Custom Create** flow in the console, the creation token that is generated for you has the following format:
```
"CreationToken": "console-d215fa78-1f83-4651-b026-facafd8a7da7"
```
If you use Quick Create to create a file system with the service recommended settings, the creation token has the following format:
```
"CreationToken": "quickCreated-d7f56c5f-e433-41ca-8307-9d9c0f8a77a2"
```
# Creating EFS file systems
You can create a file system when you create a new EC2 launch instance, as explained in the [Getting started exercise](getting-started.md). However, you can also create file systems by using the Amazon EFS console, the AWS Command Line Interface (AWS CLI), or the Amazon EFS API.
When creating the file system using the Amazon EFS console, you have different options, depending on whether you want the file system to use the recommended settings or if you want to customize the settings.
+ You can use Quick create to quickly create a file system with the following recommended settings.
+ Regional availability
+ Lifecycle policies to transition the file system to EFS Infrequent Access (IA) storage after 30 days, to EFS Archive storage after 90 days, and not to transition to EFS Standard storage
+ Encryption of data at rest enabled
+ Elastic throughput mode
+ General Purpose performance mode
+ Mount targets configured in each Availability Zone in the AWS Region in which the file system is created using an available IPv4 on the specified subnet
+ You can use Customize to create a file system with the settings you choose.
For a table that lists the file system settings and the recommended values, see [Configuration options for file systems](#creating-using-create-fs-part1).
## Required IAM permissions for creating file systems
To create EFS resources, such as a file system and access points, you must have AWS Identity and Access Management (IAM) permissions for the corresponding API operation and resource.
Create IAM users and grant them permissions for Amazon EFS actions with user policies. You can also use roles to grant cross-account permissions. Amazon Elastic File System also uses an IAM service-linked role that includes permissions required to call other AWS services on your behalf. For more information about managing permissions for API operations, see [Identity and access management for Amazon EFS](security-iam.md).
## Configuration options for file systems
EFS file systems are configured with the settings listed in the following table.
+ If you use Quick create to create the file system, the file system is created with the indicated recommended value for the setting.
+ If use Customize to create a custom file system, you can change the recommended value for the setting.
**EFS file system settings**
| Setting | Description |
| --- | --- |
| File system type | Recommended: RegionalThe file system type determines the [availability and durability](features.md#availability-durability) with which an EFS file system stores data within an AWS Region.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html)For more information about file system types, see [Availability and durability of EFS file systems](features.md#availability-durability). |
| Lifecycle management | *Recommended: Transition into IA storage after 30 days and into Archive storage after 90 days. Do not transition into Standard storage.* Lifecycle management uses lifecycle policies to automatically move files in to and out of the lower-cost Infrequent Access (IA) storage class based on access patterns. When you create a file system by using the AWS Management Console, the file system's lifecycle policy is configured with the following default settings: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html) When you create a file system by using the AWS CLI, Amazon EFS API, or AWS SDKs, you cannot set a lifecycle policy at the same time. You must wait until the file system is created, and then use the [PutLifecycleConfiguration](API_PutLifecycleConfiguration.md) API operation to update the lifecycle policy. For more information about lifecycle management, see [Managing storage lifecycle](lifecycle-management-efs.md). |
| Encryption at rest | *Recommended: Enabled* Amazon EFS uses your AWS Key Management Service (AWS KMS) EFS service key (`aws/elasticfilesystem`) to encrypt data at rest by default. With encryption, all data and metadata stored on it are encrypted. After you create an EFS file system, you cannot change its encryption setting. To convert an unencrypted file system to encrypted, you must create a new file system. For more information about encryption in Amazon EFS, see [Data encryption in Amazon EFS](encryption.md). |
| Throughput mode | *Recommended: Elastic* You can choose from the following throughput modes: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html) Additional charges are associated with using Elastic and Provisioned throughput. For more information, see [Amazon EFS pricing](https://aws.amazon.com/efs/pricing/). For more information about throughput modes, see [Throughput modes](performance.md#throughput-modes). |
| Performance mode | *Recommended: General Purpose* The **General Purpose** performance mode has the lowest per-operation latency and is recommended for all file systems. **Max I/O** is a previous generation performance type that is designed for highly parallelized workloads that can tolerate higher latencies than the General Purpose mode. Max I/O mode is not supported for One Zone file systems or file systems that use Elastic throughput.Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. For more information, see [Performance modes](performance.md#performancemodes). |
| **Network access** | *Recommended: Mount target created in each Availability Zone in which the file system is available* The mount target settings are as follows: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html) When you create a file system by using the AWS CLI, Amazon EFS API, or AWS SDKs, you cannot create a mount target at the same time. You must wait until the file system is created, and then use the [CreateMountTarget](API_CreateMountTarget.md) API operation to create the mount targets. For more information about mount targets, see [Managing mount targets](accessing-fs.md). |
## Quick create using the console
Use the Amazon EFS console to create an Amazon EFS file system that has the recommended settings. If you want to create a file system with a customized configuration, see [Custom create using the console](#creating-using-fs-part1-console).
**To quick create an Amazon EFS file system that has the recommended settings**
1. Sign in to the AWS Management Console and open the Amazon EFS console at [ https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/).
1. Choose **Create file system** to open the **Create file system** dialog box.
1. (Optional) Enter a **Name** for your file system.
1. For **Virtual Private Cloud (VPC)**, choose your VPC, or keep it set to your default VPC.
1. Choose **Create** to create a file system that uses the following service recommended settings:
+ Regional availability
+ Lifecycle policies to transition the file system to EFS Infrequent Access (IA) storage after 30 days, to EFS Archive storage after 90 days, and not to transition to EFS Standard storage
+ Encryption of data at rest enabled
+ Elastic throughput mode
+ General Purpose performance mode
+ Mount targets configured in each Availability Zone in the AWS Region in which the file system is created, using an available IPv4 on the specified subnet
The **File systems** page appears with a banner across the top showing the status of the file system you created. A link to access the file system details page appears in the banner when the file system becomes available.
For more information about file system status, see [Understanding file system status](file-system-state.md).
## Custom create using the console
This section describes the process of using the Amazon EFS console to create an EFS file system with customized settings instead of using the service-recommended settings. For more information about creating a file system by using the recommended settings, see [Quick create using the console](#gs-step-two-create-efs-resources).
Creating an EFS file system with custom settings by using the console is a four-step process:
+ Step 1 – Configure general file system settings, including the storage class and throughput mode.
+ Step 2 – Configure file system network settings, including the virtual private cloud (VPC) and mount targets. For each mount target, set the Availability Zone, subnet, IP address, and security groups.
+ Step 3 – (Optional) Create a file system policy to control NFS client access to the file system.
+ Step 4 – Review the file system settings, make any changes, and then create the file system.
**Step 1: Configure file system settings**
1. Sign in to the AWS Management Console and open the Amazon EFS console at [ https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/).
1. Choose **Create file system** to open the **Create file system** dialog box.
1. Choose **Customize** to create a customized file system instead of creating a file system by using the recommended settings. The **File system settings** page opens.
1. For **General** settings, do the following.
1. (Optional) Enter a **Name** for the file system.
1. For **File system type**, **Regional** is selected by default. Choose **One Zone** if you want to create a file system that stores file system data and metadata redundantly within a single Availability Zone. If you choose **One Zone**, choose the **Availability Zone** that you want the file system created in, or keep the default value.
1. For **Lifecycle management**, change the lifecycle policies, if necessary.
+ **Transition into IA** – Select when to transition files into the Infrequent Access (IA) storage class, based on the time since they were last accessed in Standard storage.
+ **Transition into Archive** – Select when to transition files into the Archive storage class, based on the time since they were last accessed in Standard storage.
+ **Transition into Standard** – Select whether to transition the file system to the storage class.
For more information about lifecycle policies, see [Managing storage lifecycle](lifecycle-management-efs.md).
1. Amazon EFS uses your AWS Key Management Service (AWS KMS) EFS service key (`aws/elasticfilesystem`) to encrypt data at rest by default. To choose a different KMS key to use for encryption, expand **Customize encryption settings** and choose a key from the list. Or, enter a KMS key ID or Amazon Resource Name (ARN) for the KMS key that you want to use.
If you need to create a new key, choose **Create an AWS KMS key** to launch the AWS KMS console and create a new key.
You can turn off encryption of data at rest by clearing the check box.
You cannot change the encryption setting after the file system is created. For more information, see [Data encryption in Amazon EFS](encryption.md).
1. For **Performance** settings, do the following:
1. For **Throughput mode**, the **Elastic** mode is selected by default.
+ To use provisioned throughput, choose **Provisioned**, and, in **Provisioned Throughput (MiB/s)**, enter the amount of throughput to provision for file system requests. The amount of **Maximum Read Throughput** is displayed at three times the amount of the throughput that you enter.
+ To use bursting throughput, choose **Bursting**.
After you choose the throughput mode, an estimate of the monthly cost for the file system is shown. You can change the throughput mode after the file system becomes available.
For more information about choosing the correct throughput mode for your performance needs, see [Throughput modes](performance.md#throughput-modes).
1. For **Performance mode**, the default is **General Purpose**. To change the performance mode, expand **Additional settings**, and then choose **Max I/O**.
You cannot change the performance mode after the file system becomes available. For more information, see [Performance modes](performance.md#performancemodes).
**Important**
Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems.
1. (Optional) Add tag key-value pairs to your file system.
1. Choose **Next** to configure network access for the file system.
**Step 2: Configure network access**
In Step 2, you configure the file system's network settings, including the VPC and mount targets.
1. Choose the **Virtual Private Cloud (VPC)** where you want EC2 instances to connect to your file system. For more information, see [Managing mount targets](accessing-fs.md).
1. For **Mount targets**, you create one or more mount targets for your file system. For each mount target, set the following properties:
+ **Availability Zone** – By default, a mount target is configured in each Availability Zone in an AWS Region. If you don't want a mount target in a particular Availability Zone, choose **Remove** to delete the mount target for that zone. Create a mount target in every Availability Zone that you plan to access your file system from – there is no cost to do so.
+ **Subnet ID** – Choose from the available subnets in an Availability Zone. The default subnet is preselected.
+ **IP address type** – Choose **IPv4 only** to support IPv4 addresses only, **IPv6 only** to support IPv6 addresses only, or **Dual-stack** to support both IPv4 and IPv6 addresses.
+ **IPv4 or IPv6 address** – If you know the IP address where you want to place the mount target, then enter it in the IP address box that matches the **IP address type**. If you don't specify a value, Amazon EFS selects an unused IP address from the specified subnet.
+ **Security groups** – By default, Amazon EFS chooses the default security group for the VPC. To change the security group, delete the assigned group and then choose the group from the **Choose security groups** list. You can specify one or more security groups for the mount target. For more information, see [Using VPC security groups](network-access.md).
1. Choose **Add mount target** to create a mount target for an Availability Zone that doesn't have one. If a mount target is configured for each Availability Zone, this choice is not available.
1. Choose **Next** to set the file system policy.
**Step 3: Create a file system policy (optional)**
Optionally, you can create a file system policy for your file system. An EFS file system policy is an IAM resource policy that you use to control NFS client access to the file system. For more information, see [Using IAM to control access to file systems](iam-access-control-nfs-efs.md).
1. In **Policy options**, you can choose any combination of the preconfigured file system policies:
+ **Prevent root access by default** – This option removes `ClientRootAccess` from the set of allowed EFS actions.
+ **Enforce read-only access by default** – This option removes `ClientWriteAccess` from the set of allowed EFS actions.
+ **Prevent anonymous access** – This option removes `ClientMount` from the set of allowed EFS actions.
+ **Enforce in-transit encryption for all clients** – This option denies access to unencrypted clients.
When you choose a preconfigured policy, the policy JSON object is displayed in the **Policy editor** pane.
1. Use **Grant additional permissions** to grant file system permissions to additional IAM principals, including another AWS account. Choose **Add**, and enter the principal ARN of the entity that you are granting permissions to. Then choose the **Permissions** that you want to grant. The additional permissions are shown in the **Policy editor**.
1. You can use the **Policy editor** to customize a preconfigured policy or to create your own file system policy. When you use the editor, the preconfigured policy options become unavailable. To clear the current file system policy and start creating a new policy, choose **Clear**.
1. Choose **Next** to review and create the file system.
**Step 4: Review and create**
1. Review each of the file system configuration groups. You can make changes to each group at this time by choosing **Edit**.
1. Choose **Create file system** to create your file system and return to the **File systems** page.
A banner across the top shows that the new file system is being created. A link to access the new file system details page appears in the banner when the file system becomes available.
## Create using the AWS CLI
When you're using the AWS CLI, you create these resources in order. First, you create a file system. Then, you can create mount targets and any additional optional tags for the file system by using corresponding AWS CLI commands.
The following examples use `adminuser` for the `--profile` parameter values. You must use an appropriate user profile to provide your credentials. For information, see [Prerequisites to use the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-prereqs.html) in the *AWS Command Line Interface User Guide*.
+ To create an encrypted file system with automatic backups enabled, use the Amazon EFS `create-file-system` CLI command (the corresponding operation is [CreateFileSystem](API_CreateFileSystem.md)), as shown following.
```
aws efs create-file-system \
--creation-token creation-token \
--encrypted \
--backup \
--performance-mode generalPurpose \
--throughput-mode elastic \
--region aws-region \
--tags Key=key,Value=value Key=key1,Value=value1 \
--profile adminuser
```
For example, the following `create-file-system` command creates a file system using Elastic throughput in the `us-west-2` AWS Region. The command specifies `MyFirstFS` as the creation token. For a list of the AWS Regions where you can create an Amazon EFS file system, see [Amazon EFS endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/elasticfilesystem.html) in the *Amazon Web Services General Reference*.
```
aws efs create-file-system \
--creation-token MyFirstFS \
--backup \
--encrypted \
--performance-mode generalPurpose \
--throughput-mode elastic \
--region us-west-2 \
--tags Key=Name,Value="Test File System" Key=developer,Value=rhoward \
--profile adminuser
```
After successfully creating the file system, Amazon EFS returns the file system description as JSON, as shown in the following example.
```
{
"OwnerId": "123456789abcd",
"CreationToken": "MyFirstFS",
"Encrypted": true,
"FileSystemId": "fs-c7a0456e",
"CreationTime": 1422823614.0,
"LifeCycleState": "creating",
"Name": "Test File System",
"NumberOfMountTargets": 0,
"SizeInBytes": {
"Value": 6144,
"ValueInIA": 0,
"ValueInStandard": 6144
"ValueInArchive": 0
},
"PerformanceMode": "generalPurpose",
"ThroughputMode": "elastic",
"Tags": [
{
"Key": "Name",
"Value": "Test File System"
}
]
}
```
+ The following example creates a file system that uses Bursting throughput in the `us-west-2a` Availability Zone by using the `availability-zone-name` property.
```
aws efs create-file-system \
--creation-token MyFirstFS \
--availability-zone-name us-west-2a \
--backup \
--encrypted \
--performance-mode generalPurpose \
--throughput-mode bursting \
--region us-west-2 \
--tags Key=Name,Value="Test File System" Key=developer,Value=rhoward \
--profile adminuser
```
After successfully creating the file system, Amazon EFS returns the file system description as JSON, as shown in the following example.
```
{
"AvailabilityZoneId": "usw-az1",
"AvailabilityZoneName": "us-west-2a",
"OwnerId": "123456789abcd",
"CreationToken": "MyFirstFS",
"Encrypted": true,
"FileSystemId": "fs-c7a0456e",
"CreationTime": 1422823614.0,
"LifeCycleState": "creating",
"Name": "Test File System",
"NumberOfMountTargets": 0,
"SizeInBytes": {
"Value": 6144,
"ValueInIA": 0,
"ValueInStandard": 6144
"ValueInArchive": 0
},
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"Tags": [
{
"Key": "Name",
"Value": "Test File System"
}
]
}
```
Amazon EFS also provides the `describe-file-systems` CLI command (the corresponding API operation is [DescribeFileSystems](API_DescribeFileSystems.md)), which you can use to retrieve a list of file systems in your account, as shown following.
```
aws efs describe-file-systems \
--region aws-region \
--profile adminuser
```
Amazon EFS returns a list of the file systems in your AWS account created in the specified Region.
# Deleting EFS file systems
File system deletion is a destructive action that you can't undo. You lose the file system and any data you have in it. Any data that you delete from a file system is gone, and you can't restore the data. When users delete data from a file system, that data is immediately rendered unusable. EFS force-overwrites the data in an eventual manner.
**Note**
You cannot delete a file system that is part of a replication configuration. You must delete the replication configuration first. For more information, see [Deleting replication configurations](delete-replications.md).
**Important**
You should always unmount a file system before you delete it.
## Using the console
**To delete a file system**
1. Open the Amazon Elastic File System console at [https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/).
1. Select the file system that you want to delete in the **File systems** page.
1. Choose **Delete**.
1. In the **Delete file system** dialog box, enter the file system ID shown, and choose **Confirm** to confirm the delete.
The console simplifies the file system deletion for you. First it deletes the associated mount targets, and then it deletes the file system.
## Using the AWS CLI
Before you can use the AWS CLI command to delete a file system, you must delete all of the mount targets and access points that were created for the file system.
For example AWS CLI commands, see [Step 4: Clean up](wt1-getting-started.md#wt1-clean-up).
# Creating file system policies
You can create a file system policy by using the Amazon EFS console or by using the AWS CLI. You can also create a file system policy programmatically by using AWS SDKs or the Amazon EFS API directly. EFS file system policies have a 20,000 character limit. For more information about using an EFS file system policy and examples, see [Using IAM to control access to file systems](iam-access-control-nfs-efs.md).
**Note**
Amazon EFS file system policy changes can take several minutes to take effect.
## Using the console
1. Open the Amazon Elastic File System console at [https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/).
1. Choose **File Systems**.
1. On the **File systems** page, choose the file system that you want to edit or create a file system policy for.
1. Choose **File system policy**, then choose **Edit**.
1. In **Policy options**, you can choose any combination of the preconfigured file system policies:
+ **Prevent root access by default** – This option removes `ClientRootAccess` from the set of allowed EFS actions.
+ **Enforce read-only access by default** – This option removes `ClientWriteAccess` from the set of allowed EFS actions.
+ **Prevent anonymous access** – This option removes `ClientMount` from the set of allowed EFS actions.
+ **Enforce in-transit encryption for all clients** – This option denies access to unencrypted clients.
When you choose a preconfigured policy, the policy JSON object is displayed in the **Policy editor** pane.
1. Use **Grant additional permissions** to grant file system permissions to additional IAM principals, including another AWS account. Choose **Add**, and enter the principal ARN of the entity that you are granting permissions to. Then choose the **Permissions** that you want to grant. The additional permissions are shown in the **Policy editor**.
1. You can use the **Policy editor** to customize a preconfigured policy or to create your own file system policy. When you use the editor, the preconfigured policy options become unavailable. To clear the current file system policy and start creating a new policy, choose **Clear**.
When you clear the editor, the preconfigured policies become available once again.
1. After you complete editing the policy, choose **Save**.
## Using the AWS CLI
In the following example, the [https://docs.aws.amazon.com/cli/latest/reference/efs/put-file-system-policy.html](https://docs.aws.amazon.com/cli/latest/reference/efs/put-file-system-policy.html) CLI command creates a file system policy that allows the specified AWS account read-only access to the EFS file system. The equivalent API command is [PutFileSystemPolicy](API_PutFileSystemPolicy.md).
```
aws efs put-file-system-policy --file-system-id fs-01234567 --policy '{
"Id": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount"
],
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
}
}
]
}'
```
# Creating access points
You can create and delete Amazon EFS access points using the AWS Management Console, the AWS Command Line Interface (AWS CLI), and the Amazon EFS API and SDKs. You cannot modify an access point once it is created. A file system can have a maximum of 10,000 access points unless you request an increase.
**Note**
If multiple requests to create access points on the same file system are sent in quick succession, and the file system is nearing the access points limit, you may experience a throttling response for these requests. This is to ensure that the file system does not exceed the stated access point quota.
For more information about EFS access points, see [Working with access points](efs-access-points.md).
## Using the console
1. Open the Amazon Elastic File System console at [https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/).
1. Choose **Access points** to open the **Access points** window.
1. Choose **Create access point** to display the **Create access point** page.
You can also open the **Create access point** page by choosing **File Systems**. Choose a file system **Name** or **File system ID** and then choose **Access points** and **Create access point** to create an access point for that file system.
1. Enter the following information in the **Details** panel:
+ **File system** – Enter a file system name or ID and choose the matching file system. You can also choose the file system from the list that appears when you choose the input field.
+ (Optional) **Name** – Enter a name for the access point.
+ (Optional) **Root directory path** – You can specify a root directory for the access point; the default access point root is /. To enter a root directory path, use the format `/foo/bar`. For more information, see [Enforcing a root directory with an access point](enforce-root-directory-access-point.md).
1. (Optional) In the **POSIX user** panel, you can specify the full POSIX identity to use to enforce user and group information for all file operations by NFS clients that are using the access point. For more information, see [Enforcing a user identity using an access point](enforce-identity-access-points.md).
+ **User ID** – Enter a numeric POSIX user ID for the user.
+ **Group ID** – Enter a numeric POSIX group ID for the user.
+ **Secondary group IDs** – Enter an optional comma-separated list of secondary group IDs.
1. (Optional) For **Root directory creation permissions**, you can specify the permissions to use when Amazon EFS creates the root directory path, if specified and the root directory doesn't already exist. For more information, see [Enforcing a root directory with an access point](enforce-root-directory-access-point.md).
**Note**
If you don't specify any root directory ownership and permissions, and the root directory does not already exist, EFS will not create the root directory. Any attempts to mount the file system by using the access point will fail.
+ **Owner user ID** – Enter the numeric POSIX user ID to use as the root directory owner.
+ **Owner group ID** – Enter the numeric POSIX group ID to use as the root directory owner group.
+ **Permissions** – Enter the Unix mode of the directory. A common configuration is 755. Ensure that the execute bit is set for the access point user so that they are able to mount.
1. Choose **Create access point** to create the access point by using this configuration.
## Using the AWS CLI
In the following example, the `create-access-point` CLI command creates an access point for an EFS file system. The equivalent API command is [CreateAccessPoint](API_CreateAccessPoint.md).
```
aws efs create-access-point --file-system-id fs-abcdef0123456789a --client-token 010102020-3 \
--root-directory “Path=/efs/mobileapp/east,CreationInfo={OwnerUid=0,OwnerGid=11,Permissions=775}” \
--posix-user “Uid=22,Gid=4” \
--tags Key=Name,Value=east-users
```
If the request is successful, the CLI responds with the access point description.
```
{
"ClientToken": "010102020-3",
"Name": "east-users",
"AccessPointId": "fsap-abcd1234ef5678901",
"AccessPointArn": "arn:aws:elasticfilesystem:us-east-2:111122223333:access-point/fsap-abcd1234ef5678901",
"FileSystemId": "fs-01234567",
"LifeCycleState": "creating",
"OwnerId": "111122223333",
"PosixUser": {
"Gid": 4,
"Uid": 22
},
"RootDirectory": {
"CreationInfo": {
"OwnerGid": 0,
"OwnerUid": 11,
"Permissions": "775"
},
"Path": "/efs/mobileapp/east",
},
"Tags": []
}
```
**Note**
If multiple requests to create access points on the same file system are sent in quick succession, and the file system is nearing the access points limit, you may experience a throttling response for these requests. This is to ensure that the file system does not exceed the stated access point quota.
# Deleting access points
When you delete an access point, any clients that are using the access point lose access to the Amazon EFS file system that it's configured for.
## Using the console
1. Open the Amazon Elastic File System console at [https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/).
1. In the left navigation pane, choose **Access points** to open the **Access points** page.
1. Select the access point to delete.
1. Choose **Delete**.
1. Choose **Confirm** to confirm the action and delete the access point.
## Using the AWS CLI
In the following example, the `delete-access-point` CLI command deletes the specified access point. The equivalent API command is [DeleteAccessPoint](API_DeleteAccessPoint.md). If the command is successful, the service returns an HTTP 204 response with an empty HTTP body.
```
aws efs delete-access-point --access-point-id fsap-092e9f80b3fb5e6f3 --client-token 010102020-3
```
# Tagging EFS resources
To help you manage your EFS resources, you can assign your own metadata to each resource in the form of *tags*. With tags, you can categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This categorization is useful when you have many resources of the same type—you can quickly identify a specific resource based on the tags that you've assigned to it. This topic describes tags and shows you how to create them.
## Tag basics
A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define.
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. For example, you could define a set of tags for your account's Amazon EFS file systems that helps you track each file system's owner.
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add.
Tags don't have any semantic meaning to Amazon EFS and are interpreted strictly as a string of characters. Also, tags are not automatically assigned to your resources. You can edit tag keys and values, and you can remove tags from a resource at any time. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. If you delete a resource, any tags for the resource are also deleted.
## Tag restrictions
The following basic restrictions apply to tags:
+ Maximum number of tags per resource – 50
+ For each resource, each tag key must be unique, and each tag key can have only one value.
+ Maximum key length – 128 Unicode characters in UTF-8
+ Maximum value length – 256 Unicode characters in UTF-8
+ Although Amazon EFS allows for any character in its tags, other services are more restrictive. The allowed characters across services are: letters, numbers, and spaces representable in UTF-8, and the following characters: \$1 - = . \$1 : / @.
+ Tag keys and values are case-sensitive.
+ The `aws:` prefix is reserved for AWS use. If a tag has a tag key with this prefix, then you can't edit or delete the tag's key or value. Tags with the `aws:` prefix do not count against your tags per resource limit.
You can't update or delete a resource based solely on its tags; you must specify the resource identifier. For example, to delete file systems that you tagged with a tag key called `DeleteMe`, you must use the `DeleteFileSystem` action with the resource identifiers of the file system, such as `fs-1234567890abcdef0`.
When you tag public or shared resources, the tags that you assign are available only to your AWS account. No other AWS account will have access to those tags. For tag-based access control to shared resources, each AWS account must assign its own set of tags to control access to the resource.
You can tag Amazon EFS file system and access point resources.
## Using tags for access control
You can use tags to control access to Amazon EFS resources and to implement attribute-based access control (ABAC).
**Note**
Replication does not support using tags for attribute-based access control (ABAC).
## Tag your resources
You can tag Amazon EFS file system and access point resources that already exist in your account.
### Using the console
+ You can use the Amazon EFS console to apply tags to existing resources by using the **Tags** tab on the resource details screen. In the Amazon EFS console, you can specify tags for a resource when you create the resource. For example, you can add a tag with a key of `Name` and a value that you specify.
In most cases, the console applies the tags immediately after the resource is created (rather than during resource creation). Although the console organizes resources according to the `Name` tag, this tag doesn't have any semantic meaning to the Amazon EFS service.
### Using the AWS CLI
+ If you're using the Amazon EFS API, the AWS CLI, or an AWS SDK, you can use the `TagResource` EFS API action to apply tags to existing resources. Additionally, some resource-creating actions enable you to specify tags for a resource when the resource is created.
The AWS CLI commands for managing tags, and the equivalent Amazon EFS API actions, are listed in the following table.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/efs/latest/ug/manage-fs-tags.html)
# Tutorial: Creating writable per-user subdirectories
After you create an EFS file system and mount it locally on your Amazon EC2 (EC2) instance, it exposes an empty directory called the *file system root*. One common use case for this file system root directory is to create a "writable" subdirectory for each user you create on the EC2 instance and mount the subdirectory on the user's home directory. All files and subdirectories the user creates in their home directory are then created on the EFS file system.
**Note**
You can follow the [Getting started](getting-started.md) exercise to create and mount an EFS file system on your EC2 instance.
In the following steps, you create a user, create a subdirectory for the user, make the user the owner of the subdirectory, and then mount the Amazon EFS subdirectory on the user's home directory.
1. Create user mike:
1. Log in to your EC2 instance. Using root privileges (in this case, using the `sudo` command), create the user and assign a password.
For example, the following command creates the user `mike`.
```
$ sudo useradd -c "Mike Smith" mike
$ sudo passwd mike
```
A home directory is also created for the user. For example, `/home/mike`.
1. Create a subdirectory under *EFSroot* for the user.
For example, the following command creates subdirectory `mike` under *EFSroot*.
```
$ sudo mkdir /EFSroot/mike
```
You will need to replace *EFSroot* with your local directory name.
1. The root user and root group are the owners of the subdirectory (you can verify this by using the `ls -l` command). To enable full permissions for the user on this subdirectory, grant ownership of the directory to the user.
For example:
```
$ sudo chown mike:mike /EFSroot/mike
```
1. Use the `mount` command to mount the subdirectory onto the user's home directory.
For example:
```
$ sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport mount-target-DNS:/mike /home/mike
```
The *mount-target-DNS* address identifies the remote EFS file system root.
If you unmount this mount target, the user can't access the directory without remounting, which requires root permissions.