Create an IAM role with custom trust policy Create policies on the source and destination file systems Create the replication configuration

Replicating EFS file systems across AWS accounts

You can replicate EFS file systems across AWS accounts. Replicating across accounts enhances the overall resilience and reliability of your disaster recovery (DR) strategies and can help you meet corporate compliance mandates.

For example, you might be required by compliance policies to use different accounts for different environments (such as production, staging, and disaster recovery (DR)). Or you may find that replication across different AWS accounts provides stronger isolation, more granular control over permissions and access policies, and more straightforward auditing of resources. If the production account is compromised (such as by security breaches, misconfiguration, or insider threats), having the DR servers in a separate account can prevent the attacker from accessing them, reduce the blast radius of security incidents, and minimize the risk of unauthorized changes.

Replicating across AWS accounts requires additional security and policy setup. You must create an IAM role on the source account that gives Amazon EFS permission to perform replication in the destination account. You also need to create policies on the file systems that you want to share across accounts. After the IAM role and file system policies are created, you create the replication configuration.

Topics

Create an IAM role with a custom trust policy
Create policies on the source and destination file systems
Create the replication configuration

Create an IAM role with a custom trust policy

For Amazon EFS to perform cross-account replication on the source account’s behalf, an IAM role must be created on the source account. The role must have the elasticfilesystem.amazonaws.com trust policy to allow Amazon EFS to assume the role and act as the service principal. The role must contain all of the IAM permissions required to perform replication (see Required IAM permissions) and grant explicit permission to replicate to the file system in the destination account.

Prerequisites

You must create both the source file system and the destination file system in the replication configuration before you can create the IAM role for the source account. You must know and provide the ARN for each file system.

To create the IAM role for cross-account replication

The following are the general steps for creating an IAM role with custom trust policies for cross-account replication with Amazon EFS. For step-by-step instructions for creating an IAM role, see Create a role using custom trust policies in the AWS Identity and Access Management User Guide.

In the AWS Identity and Access Management console for the source account, create an IAM role that uses the following trust policy. For instructions, see Create a role using custom trust policies in the AWS Identity and Access Management User Guide.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "elasticfilesystem.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

After you have created the role, assign the following permissions for the role. Replace DESTINATION_FILE_SYSTEM_ARN with the ARN of the destination file system and replace SOURCE_FILE_SYSTEM_ARN with the ARN of the source file system. For instructions on assigning permissions to the role, see Creating policies using the JSON editor.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:CreateReplicationConfiguration",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "elasticfilesystem:DeleteReplicationConfiguration",
                "elasticfilesystem:ReplicationWrite"
            ],
            "Resource": "DESTINATION_FILE_SYSTEM_ARN"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ReplicationRead",
                "elasticfilesystem:DescribeFileSystems"
            ],
            "Resource": "SOURCE_FILE_SYSTEM_ARN"
        }
    ]
}

Copy or write down the ARN for the IAM role. You need to provide the ARN when you create the replication configuration.

Create policies on the source and destination file systems

To share file systems cross-account in Amazon EFS, you must assign policies to both the destination and source file systems. The policies grant or restrict access across accounts to the file system to which they are applied. Only account owners with permission to edit file systems can assign policies to the file system in their account.

Note

To replicate across AWS accounts, you must first create both the destination and source file systems. Amazon EFS cannot create the destination file system for you during replication.

Policy for the destination file system

To allow the source account permission to replicate to the destination file system and to delete the replication configuration from the destination account, the following policy must be created on the destination file system. Replace SOURCE_ACCOUNT_ROOT with the ID of the account that owns the source file system.


{ 
  "Version": "2012-10-17", 
  "Statement": [ 
     { 
        "Sid": "Permissions for source account calls", 
        "Effect": "Allow",
        "Principal": { 
        "AWS": "SOURCE_ACCOUNT_ROOT"
      }, 
    "Action": [ 
         "elasticfilesystem:DescribeFileSystems", 
         "elasticfilesystem:CreateReplicationConfiguration", 
         "elasticfilesystem:DescribeReplicationConfigurations",
         "elasticfilesystem:DeleteReplicationConfiguration", 
         "elasticfilesystem:ReplicationWrite" 
         ], 
     "Resource": "DESTINATION_FILE_SYSTEM_ARN"
     } 
   ]
}

Policy for the source file system

To allow the destination account permission to delete the replication configuration from the source account, you must assign the following policy to the source file system. Replace DESTINATION_ACCOUNT_ROOT with the ID of the account that owns the destination file system.


{
    "Version": "2012-10-17",
    "Id": "efs-policy",
    "Statement": [
        {
            "Sid": "Permission to delete the replication by the destination account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "DESTINATION_ACCOUNT_ROOT"
            },
            "Action": "elasticfilesystem:DeleteReplicationConfiguration",
            "Resource": "SOURCE_FILE_SYSTEM_ARN"
        }
    ]
}

To create the file system policy

Perform the following steps for both the destination and source file system, using the policies in the previous section.

Sign in to the AWS Management Console with the account that owns the file system, and then open the Amazon EFS console at https://console.aws.amazon.com/efs/.
Open the file system:
1. In the left navigation pane, choose File systems.
2. In the File systems list, choose the file system.
On the File system policy tab, choose Edit.
Paste the policy in Policy editor {Json} and then choose Save.

Create the replication configuration

After you have created the IAM role and added the file system policies to the source and destination file systems, follow the instructions in Configuring replication to an existing EFS file system to create the replication configuration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configuring replication to existing file system

Viewing replication details