AWS managed policies for Amazon EFS - Amazon Elastic File System

AWS managed policies for Amazon EFS

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AWSServiceRoleForAmazonElasticFileSystem

Amazon EFS uses the service-linked role named AWSServiceRoleForAmazonElasticFileSystem to allow Amazon EFS to manage AWS resources on your behalf. This role trusts the elasticfilesystem.amazonaws.com service to assume the role. For more information, see Using service-linked roles for Amazon EFS.

AWS managed policy: AmazonElasticFileSystemFullAccess

You can attach the AmazonElasticFileSystemFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to Amazon EFS and access to related AWS services via the AWS Management Console.

Permissions details

This policy includes the following permissions.

  • elasticfilesystem – Allows principals to perform all actions in the Amazon EFS console. It also allows principals to create (elasticfilesystem:Backup) and restore (elasticfilesystem:Restore) backups using AWS Backup.

  • cloudwatch – Allows principals to describe Amazon CloudWatch file system metrics and alarms for a metric in the Amazon EFS console.

  • ec2 – Allows principals to create, delete, and describe network interfaces, describe and modify network interface attributes, describe Availability Zones, security groups, subnets, virtual private clouds (VPCs) and VPC attributes associated with an Amazon EFS file system in the Amazon EFS console.

  • kms – Allows principals to list aliases for AWS Key Management Service (AWS KMS) keys and to describe KMS keys in the Amazon EFS console.

  • iam – Grants permission to create a service linked role that allows Amazon EFS to manage AWS resources on the user's behalf.

  • iam:PassRole – Grants permission to pass an IAM role to Amazon EFS.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ElasticFileSystemFullAccess", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricData", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:CreateTags", "elasticfilesystem:CreateAccessPoint", "elasticfilesystem:CreateReplicationConfiguration", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DeleteTags", "elasticfilesystem:DeleteAccessPoint", "elasticfilesystem:DeleteFileSystemPolicy", "elasticfilesystem:DeleteReplicationConfiguration", "elasticfilesystem:DescribeAccountPreferences", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeTags", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeReplicationConfigurations", "elasticfilesystem:ModifyMountTargetSecurityGroups", "elasticfilesystem:PutAccountPreferences", "elasticfilesystem:PutBackupPolicy", "elasticfilesystem:PutLifecycleConfiguration", "elasticfilesystem:PutFileSystemPolicy", "elasticfilesystem:UpdateFileSystem", "elasticfilesystem:UpdateFileSystemProtection", "elasticfilesystem:TagResource", "elasticfilesystem:UntagResource", "elasticfilesystem:ListTagsForResource", "elasticfilesystem:Backup", "elasticfilesystem:Restore", "elasticfilesystem:ReplicationRead", "elasticfilesystem:ReplicationWrite", "kms:DescribeKey", "kms:ListAliases" ], "Resource": "*" }, { "Sid": "CreateServiceLinkedRoleForEFS", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticfilesystem.amazonaws.com" ] } } }, { "Sid": "IAMPassRoleAccessForEFS", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringLike": { "iam:PassedToService": "elasticfilesystem.amazonaws.com" } } } ] }

AWS managed policy: AmazonElasticFileSystemReadOnlyAccess

You can attach the AmazonElasticFileSystemReadOnlyAccess policy to your IAM identities.

This policy grants read only access to Amazon EFS via the AWS Management Console.

Permissions details

This policy includes the following permissions.

  • elasticfilesystem – Allows principals to describe attributes of Amazon EFS file systems, including account preferences, backup and file system policies, lifecycle configuration, mount targets and their security groups, tags, and access points in the Amazon EFS console.

  • cloudwatch – Allows principals to retrieve CloudWatch metrics and describe alarms for metrics in the Amazon EFS console.

  • ec2 – Allows principals to view Availability Zones, network interfaces and their attributes, security groups, subnets, VPCs and their attributes in the Amazon EFS console.

  • kms – Allows principals to list aliases for AWS KMS keys in the Amazon EFS console.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ElasticFileSystemReadOnlyAccess", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricData", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "elasticfilesystem:DescribeAccountPreferences", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeTags", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeReplicationConfigurations", "elasticfilesystem:ListTagsForResource", "elasticfilesystem:ReplicationRead", "kms:ListAliases" ], "Resource": "*" } ] }

AWS managed policy: AmazonElasticFileSystemClientReadWriteAccess

You can attach the AmazonElasticFileSystemClientReadWriteAccess policy to an IAM entity.

This policy grants read and write client access to an Amazon EFS file system. This policy allows NFS clients to mount, read and write to Amazon EFS file systems.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" } ] }

Amazon EFS updates to AWS managed policies

View details about updates to AWS managed policies for Amazon EFS since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon EFS Document history page.

Change Description Date
Update to an existing policy

Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added the following:

  • ReplicationRead and ReplicationWrite to give permission to read and write file system data for replication.

  • iam:PassRole to give permission for Amazon EFS to create replication configurations.

November 7, 2024
Update to an existing policy

Policy: AmazonElasticFileSystemServiceRolePolicy

Amazon EFS added ReplicationRead and ReplicationWrite to give permission to read and write file system data for replication.

November 7, 2024
Update to an existing policy Policy: AmazonElasticFileSystemReadOnlyAccess

Amazon EFS added the ReplicationRead action to give permission to read file system data for replication.

November 7, 2024

Update to an existing policy

Policy: AmazonElasticFileSystemReadOnlyAccess

Amazon EFS added new permissions that give source and destination accounts access to file systems for cross-account replications.

August 7, 2024

Update to an existing policy

Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added a new permission to allow principals to disable and enable protection on a file system. The permissions are required to allow Amazon EFS to replicate to an existing file system.

November 27, 2023

Update to an existing policy

Policy: AmazonElasticFileSystemServiceRolePolicy

Amazon EFS added new permissions to allow principals to create, describe, and delete Amazon EFS replications, and to create Amazon EFS file systems. The permissions are required to allow Amazon EFS to manage files system replication configurations on the user's behalf.

January 25, 2022

Update to an existing policy

Policy: AmazonElasticFileSystemReadOnlyAccess

Amazon EFS added a new permission to allow principals to describe Amazon EFS replications. The permissions are required to allow users to view files system replication configurations.

January 25, 2022
Update to an existing policy

Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added new permissions to allow principals to create, describe, and delete Amazon EFS replications. The permissions are required to allow users to manage files system replication configurations.

January 25, 2022

Started tracking policy

Policy: AmazonElasticFileSystemClientReadWriteAccess

Grants read and write privileges on Amazon EFS file systems to NFS clients.

January 3, 2022

Started tracking policy

Policy: AmazonElasticFileSystemServiceRolePolicy

The service-linked role permissions for Amazon EFS.

October 8, 2021

Update to an existing policy

Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added new permissions to allow principals to modify and describe Amazon EFS account preferences. The permissions are required to allow users to view and set account preferences settings in the Amazon EFS console.

May 7, 2021

Update to an existing policy

Policy: AmazonElasticFileSystemReadOnlyAccess

Amazon EFS added new permissions to allow principals to describe Amazon EFS account preferences. The permissions are required to allow users to view account preferences settings in the Amazon EFS console.

May 7, 2021

Amazon EFS started tracking changes

Amazon EFS started tracking changes for its AWS managed policies.

May 7, 2021