Resource-based policy examples for Amazon EFSAmazon EFS - Amazon Elastic File System

Resource-based policy examples for Amazon EFSAmazon EFS

In this section, you can find example file system policies that grant or deny permissions for various Amazon EFS actions. Amazon EFS file system policies have a 20,000 character limit. For information about the elements of a resource-based policy, see Resource-based policies within Amazon EFS.

Important

If you grant permission to an individual IAM user or role in a file system policy, don't delete or recreate that user or role while the policy is in effect on the file system. If this happens, that user or role is effectively locked out from file system and will not be able to access it. For more information, see Specifying a Principal in the IAM User Guide.

For information about how to create a file system policy, see Creating file system policies.

Example: Grant read and write access to a specific AWS role

In this example, the EFS file system policy has the following characteristics:

  • The effect is Allow.

  • The principal is set to the Testing_Role in the AWS account.

  • The action is set to ClientMount (read), and ClientWrite.

  • The condition for granting permissions is set to AccessedViaMountTarget.

{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Testing_Role" }, "Action": [ "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientMount" ], "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd", "Condition": { "Bool": { "elasticfilesystem:AccessedViaMountTarget": "true" } } } ] }

Example: Grant read-only access

The following file system policy only grants ClientMount, or read-only, permissions to the EfsReadOnly IAM role.

{ "Id": "read-only-example-policy02", "Statement": [ { "Sid": "efs-statement-example02", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" }, "Action": [ "elasticfilesystem:ClientMount" ], "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678" } ] }

To learn how to set additional file system policies, including denying root access to all IAM principals, except for a specific management workstation, see Enable root squashing using IAM authorization for NFS clients.

Example: Grant access to an EFS access point

You use an EFS access policy to provide an NFS client with an application-specific view into shared file-based datasets on an EFS file system. You grant the access point permissions on the file system using a file system policy.

This file policy example uses a condition element to grant a specific access point that is identified by its ARN full access to the file system.

For more information about using EFS access points, see Working with Amazon EFS access points.

{ "Id": "access-point-example03", "Statement": [ { "Sid": "access-point-statement-example03", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::555555555555:role/EfsAccessPointFullAccess"}, "Action": "elasticfilesystem:Client*", "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678", "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn":"arn:aws:elasticfilesystem:us-east-2:555555555555:access-point/fsap-12345678" } } } ] }