Amazon Elastic File System User Guide Service

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 222 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Amazon Elastic File System
User Guide
Amazon Elastic File System User Guide
Amazon Elastic File System: User Guide
Copyright © 2017 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner
that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not
owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by
Amazon.
Amazon Elastic File System User Guide
Table of Contents
What Is Amazon Elastic File System? .................................................................................................... 1
Are you arst-time user of Amazon EFS? ..................................................................................... 1
How it Works .................................................................................................................................... 3
Overview ................................................................................................................................... 3
How Amazon EFS Works with Amazon EC2 ................................................................................... 4
How Amazon EFS Works with AWS Direct Connect ......................................................................... 4
Implementation Summary ........................................................................................................... 5
Authentication and Access Control ............................................................................................... 6
Data Consistency in Amazon EFS ................................................................................................. 7
Setting Up ........................................................................................................................................ 8
Sign up for AWS ........................................................................................................................ 8
Create an IAM User .................................................................................................................... 8
Getting Started ................................................................................................................................ 10
Assumptions ............................................................................................................................ 10
Related Topics ......................................................................................................................... 11
Step 1: Create Your EC2 Resources and Launch Your EC2 Instance ................................................... 11
Step 2: Create Your Amazon EFS File System ............................................................................... 15
Step 3: Connect to Your Amazon EC2 Instance and Mount the Amazon EFS File System ...................... 16
Step 4: Sync Files from Existing File Systems to Amazon EFS Using EFS File Sync .............................. 17
Step 5: Clean Up Resources and Protect Your AWS Account ........................................................... 18
Creating Resources for Amazon EFS .................................................................................................... 19
Creating File Systems ................................................................................................................ 20
Requirements ................................................................................................................... 20
Permissions Required ........................................................................................................ 20
Creating a File System ...................................................................................................... 21
Creating Mount Targets ............................................................................................................. 23
Creating a Mount Target Using the Amazon EFS console ....................................................... 24
Creating a Mount Target using the AWS CLI ......................................................................... 27
Creating Security Groups ........................................................................................................... 27
Creating Security Groups Using the AWS Management Console .............................................. 28
Creating Security Groups Using the AWS CLI ........................................................................ 29
Using File Systems ........................................................................................................................... 30
Related Topics ......................................................................................................................... 30
NFS-Level Users, Groups, and Permissions ................................................................................... 30
Example Amazon EFS File System Use Cases and Permissions ................................................ 31
User and group ID permissions on files and directories within a file system .............................. 32
No Root Squashing ........................................................................................................... 32
Permissions Caching ......................................................................................................... 33
Changing File System Object Ownership ............................................................................. 33
Amazon EFS File Sync ............................................................................................................... 33
Requirements for EFS File Sync .......................................................................................... 33
EFS File Sync Architecture ................................................................................................. 36
Managing File Systems ...................................................................................................................... 38
Managing Network Accessibility ................................................................................................. 38
Creating or Deleting Mount Targets in a VPC ....................................................................... 40
Creating Mount Targets in Another VPC .............................................................................. 42
Updating the Mount Target Conguration ........................................................................... 43
Managing Tags ......................................................................................................................... 45
Using the Console ............................................................................................................ 45
Using the AWS CLI ........................................................................................................... 45
Metering File System and Object Sizes ........................................................................................ 45
Metering Amazon EFS File System Objects .......................................................................... 45
Metering an Amazon EFS File System ................................................................................. 46
Managing EFS File Sync ............................................................................................................ 47
iii
Amazon Elastic File System User Guide
Deleting a Sync Agent ...................................................................................................... 47
Deleting a Sync Task ........................................................................................................ 47
Understanding Sync Agent Status ...................................................................................... 47
Understanding Sync Task Status ......................................................................................... 48
Performing Tasks on the EFS File Sync VM Local Console ...................................................... 48
Performing Maintenance Tasks on the file sync on Amazon EC2 Local Console .......................... 55
Deleting a File System .............................................................................................................. 58
Using the Console ............................................................................................................ 59
Using the CLI ................................................................................................................... 59
Related Topics ................................................................................................................. 59
Managing Access to Encrypted File Systems ................................................................................. 59
Performing Administrative Actions on Amazon EFS Customer Master Keys ............................... 60
Related Topics ................................................................................................................. 61
Mounting File Systems ...................................................................................................................... 62
NFS Support ............................................................................................................................ 62
Troubleshooting AMI/Kernel Versions .................................................................................. 62
Installing the NFS Client ........................................................................................................... 62
Mounting on Amazon EC2 with a DNS Name ............................................................................... 63
Mounting on On-Premises Servers with a DNS Name ............................................................ 64
Mounting with an IP Address ..................................................................................................... 64
Mounting Automatically ............................................................................................................ 65
Updating an Existing EC2 Instance to Mount Automatically .................................................... 66
Configuring an EFS File System to Mount Automatically at EC2 Instance Launch ....................... 67
Additional Mounting Considerations ........................................................................................... 68
Unmounting File Systems .................................................................................................. 69
Monitoring File Systems .................................................................................................................... 70
Monitoring Tools ...................................................................................................................... 70
Automated Tools .............................................................................................................. 70
Manual Monitoring Tools ................................................................................................... 71
Monitoring CloudWatch ............................................................................................................. 71
Amazon CloudWatch Metrics for Amazon EFS ...................................................................... 71
Bytes Reported in CloudWatch ........................................................................................... 74
Amazon EFS Dimensions ................................................................................................... 74
How Do I Use Amazon EFS Metrics? .................................................................................... 74
Monitoring EFS File Sync ................................................................................................... 75
Access CloudWatch Metrics ................................................................................................ 75
Creating Alarms ............................................................................................................... 76
Logging Amazon EFS API Calls with AWS CloudTrail ..................................................................... 77
Amazon EFS Information in CloudTrail ................................................................................ 77
Understanding Amazon EFS Log File Entries ........................................................................ 78
Amazon EFS Log File Entries for Encrypted File Systems ........................................................ 79
Performance .................................................................................................................................... 81
Performance Overview .............................................................................................................. 81
Amazon EFS Use Cases ............................................................................................................. 82
Big Data and Analytics ...................................................................................................... 82
Media Processing Workows .............................................................................................. 82
Content Management and Web Serving .............................................................................. 82
Home Directories .............................................................................................................. 82
File System Syncing to Amazon EFS ................................................................................... 82
Performance Modes .................................................................................................................. 82
General Purpose Performance Mode ................................................................................... 83
Max I/O Performance Mode ............................................................................................... 83
Using the Right Performance Mode .................................................................................... 83
Bursting .................................................................................................................................. 83
Managing Burst Credits ..................................................................................................... 85
On-Premises Performance Considerations .................................................................................... 85
Architecting for High Availability ........................................................................................ 85
iv
Amazon Elastic File System User Guide
Amazon EFS Performance Tips ................................................................................................... 86
Related Topics ......................................................................................................................... 87
Security ........................................................................................................................................... 88
AWS Identity and Access Management (IAM) Permissions for API Calls ............................................. 88
Security Groups for Amazon EC2 Instances and Mount Targets ....................................................... 88
Security Considerations for Mounting an Amazon EFS File System .......................................... 89
Read, Write, and Execute Permissions for EFS Files and Directories .................................................. 90
Encrypting Data and Metadata at Rest in EFS .............................................................................. 90
When to Use Encryption ................................................................................................... 91
Encrypting a File System Using the Console ......................................................................... 91
How Encryption Works with Amazon EFS ............................................................................ 91
Related Topics ................................................................................................................. 92
Limits ............................................................................................................................................. 93
Amazon EFS Limits That Can Be Increased ................................................................................... 93
Resource Limits ........................................................................................................................ 93
Limits for Client EC2 Instances ................................................................................................... 94
Limits for Amazon EFS File Systems ........................................................................................... 94
Limits for EFS File Sync ............................................................................................................. 94
Unsupported NFSv4 Features ..................................................................................................... 95
Additional Considerations .......................................................................................................... 96
Troubleshooting Amazon EFS ............................................................................................................. 97
Troubleshooting General Issues .................................................................................................. 97
Mount Command Fails with "wrong fs type" Error Message .................................................... 97
Mount Command Fails with "incorrect mount option" Error Message ....................................... 98
File System Mount Fails Immediately After File System Creation ............................................. 98
File System Mount Hangs and Then Fails with Timeout Error .................................................. 98
File System Mount Using DNS Name Fails ........................................................................... 99
Amazon EC2 Instance Hangs .............................................................................................. 99
Mount Target Lifecycle State Is Stuck ................................................................................. 99
File System Mount on Windows Instance Fails ...................................................................... 99
Application Writing Large Amounts of Data Hangs .............................................................. 100
Mount Does Not Respond ................................................................................................ 100
Open and Close Operations Are Serialized ......................................................................... 100
Operations on Newly Mounted File System Return "bad file handle" Error .............................. 101
Custom NFS Settings Causing Write Delays ........................................................................ 101
Creating Backups with Oracle Recovery Manager Is Slow ..................................................... 102
File Operation Errors ............................................................................................................... 102
Command Fails withDisk quota exceeded Error ............................................................... 102
Command Fails with "I/O error" ....................................................................................... 102
Command Fails with "File name is too long" Error ............................................................... 102
Command Fails with "Too many links" Error ....................................................................... 103
Command Fails with "File too large" Error .......................................................................... 103
Command Fails with "Try again" Error ............................................................................... 103
Troubleshooting AMI and Kernel Issues ..................................................................................... 103
Unable to chown ............................................................................................................ 103
File System Keeps Performing Operations Repeatedly Due to Client Bug ................................ 104
Deadlocked Client ........................................................................................................... 104
Listing Files in a Large Directory Takes a Long Time ............................................................ 104
Troubleshooting Encrypted File Systems .................................................................................... 105
Encrypted File System Can't Be Created ............................................................................ 105
Unusable Encrypted File System ....................................................................................... 105
Troubleshooting EFS File Sync .......................................................................................................... 106
Your On-Premises Source File System Is Stuck in Mounting Status ................................................ 106
Your Amazon EC2 Source File System Is Stuck in Mounting Status ................................................. 106
Your Sync Task Is Stuck in Starting Status ................................................................................. 107
Enabling AWS Support To Help Troubleshoot Your EFS file sync ................................................... 107
Enabling AWS Support To Help Troubleshoot Your EC2 EFS File Sync ............................................ 108
v
Amazon Elastic File System User Guide
Walkthroughs ................................................................................................................................. 110
Walkthrough 1: Create and Mount a File System Using the AWS CLI .............................................. 110
Before You Begin ............................................................................................................ 111
Setting Up Tools ............................................................................................................ 111
Step 1: Create Amazon EC2 Resources ............................................................................... 112
Step 2: Create Amazon EFS Resources ............................................................................... 116
Step 3: Mount and Test the File System ............................................................................ 118
Step 4: Clean Up ............................................................................................................ 121
Walkthrough 2: Set Up an Apache Web Server and Serve Files ..................................................... 122
Single EC2 Instance Serving Files ...................................................................................... 122
Multiple EC2 Instances Serving Files ................................................................................. 124
Walkthrough 3: Create Writable Per-User Subdirectories .............................................................. 127
Automatic Remounting on Reboot .................................................................................... 128
Walkthrough 4: Backup Solutions for Amazon EFS File Systems .................................................... 128
Backing Up Amazon EFS File Systems by Using AWS Data Pipeline ........................................ 128
Walkthrough 5: Create and Mount a File System On-Premises with AWS Direct Connect ................... 140
Before You Begin ............................................................................................................ 141
Step 1: Create Your Amazon Elastic File System Resources ................................................... 141
Step 2: Mount the Amazon EFS File System on Your On-Premises Server ................................ 142
Step 3: Clean Up Resources and Protect Your AWS Account .................................................. 143
Walkthrough 6: Enforcing Encryption on an Amazon EFS File System at Rest .................................. 144
Enforcing Encryption at Rest ............................................................................................ 144
Walkthrough 7: Sync Files from On-Premises by Using EFS File Sync ............................................. 146
Before You Begin ............................................................................................................ 146
Step 1: Create a Sync Agent ............................................................................................ 146
Step 2: Create a Sync Task .............................................................................................. 147
Step 3: Sync Your Source File System to Amazon EFS .......................................................... 149
Step 4: Access Your Files ................................................................................................. 150
Step 5: Clean Up ............................................................................................................ 150
Walkthrough 8: Sync a File System from Amazon EC2 to Amazon EFS Using EFS File Sync ................ 151
Before You Begin ............................................................................................................ 151
Step 1: Create a Sync Agent ............................................................................................ 151
Step 2: Create a Sync Task .............................................................................................. 153
Step 3: Sync Your Source File System to Amazon EFS .......................................................... 155
Step 4: Access Your Files ................................................................................................. 156
Step 4: Clean Up ............................................................................................................ 156
Authentication and Access Control .................................................................................................... 157
Authentication ....................................................................................................................... 157
Access Control ........................................................................................................................ 158
Overview of Managing Access .................................................................................................. 158
Amazon Elastic File System Resources and Operations ......................................................... 159
Understanding Resource Ownership .................................................................................. 159
Managing Access to Resources ......................................................................................... 159
Specifying Policy Elements: Actions, Effects, and Principals .................................................. 161
Specifying Conditions in a Policy ...................................................................................... 161
Using Identity-Based Policies (IAM Policies) ................................................................................ 162
Permissions Required to Use the Amazon EFS Console ........................................................ 163
AWS Managed (Predened) Policies for Amazon EFS ........................................................... 164
Customer Managed Policy Examples ................................................................................. 164
Amazon EFS API Permissions Reference ..................................................................................... 165
Amazon EFS API ............................................................................................................................. 168
API Endpoint .......................................................................................................................... 168
API Version ............................................................................................................................ 168
Related Topics ........................................................................................................................ 169
Actions .................................................................................................................................. 169
CreateFileSystem ............................................................................................................ 170
CreateMountTarget ......................................................................................................... 176
vi
Amazon Elastic File System User Guide
CreateTags ..................................................................................................................... 183
DeleteFileSystem ............................................................................................................ 186
DeleteMountTarget ......................................................................................................... 188
DeleteTags ..................................................................................................................... 191
DescribeFileSystems ........................................................................................................ 193
DescribeMountTargets ..................................................................................................... 197
DescribeMountTargetSecurityGroups ................................................................................. 200
DescribeTags .................................................................................................................. 203
ModifyMountTargetSecurityGroups ................................................................................... 206
Data Types ............................................................................................................................ 208
FileSystemDescription ..................................................................................................... 209
FileSystemSize ................................................................................................................ 211
MountTargetDescription .................................................................................................. 212
Tag ............................................................................................................................... 214
Document History .......................................................................................................................... 215
vii
Amazon Elastic File System User Guide
Are you a first-time user of Amazon EFS?
What Is Amazon Elastic File System?
Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with Amazon
EC2. With Amazon EFS, storage capacity is elastic, growing and shrinking automatically as you add and
remove files, so your applications have the storage they need, when they need it.
Amazon EFS has a simple web services interface that allows you to create and configure file systems
quickly and easily. The service manages all the file storage infrastructure for you, avoiding the
complexity of deploying, patching, and maintaining complex file system deployments.
Amazon EFS supports the Network File System versions 4.0 and 4.1 (NFSv4) protocol, so the applications
and tools that you use today work seamlessly with Amazon EFS. Multiple Amazon EC2 instances can
access an Amazon EFS file system at the same time, providing a common data source for workloads and
applications running on more than one instance or server.
With Amazon EFS, you pay only for the storage used by your file system. You don't need to provision
storage in advance and there is no minimum fee or setup cost. For more information, see Amazon EFS
Pricing.
The service is designed to be highly scalable, highly available, and highly durable. Amazon EFS file
systems store data and metadata across multiple Availability Zones in a region and can grow to petabyte
scale, drive high levels of throughput, and allow massively parallel access from Amazon EC2 instances to
your data.
Amazon EFS provides file system access semantics, such as strong data consistency and file locking. For
more information, see Data Consistency in Amazon EFS (p. 7).
Amazon EFS also allows you to control access to your file systems through Portable Operating System
Interface (POSIX) permissions. For more information, see Security (p. 88).
You can enable encryption when creating an Amazon EFS file system. If you do, all your data
and metadata is encrypted. For more information, see Encrypting Data and Metadata at Rest in
EFS (p. 90).
Amazon EFS is designed to provide the throughput, IOPS, and low latency needed for a broad range of
workloads. With Amazon EFS, throughput and IOPS scale as a file system grows, and file operations are
delivered with consistent, low latencies. For more information, see Amazon EFS Performance (p. 81).
Note
Using Amazon EFS with Microsoft Windows Amazon EC2 instances is not supported.
Are you a first-time user of Amazon EFS?
If you are a first-time user of Amazon EFS, we recommend you read the following sections in order:
1. For an Amazon EFS product and pricing overview, see Amazon EFS.
2. For an Amazon EFS technical overview, see Amazon EFS: How It Works (p. 3).
3. Try the introductory exercises:
Getting Started (p. 10)
Walkthroughs (p. 110)
If you would like to learn more about Amazon EFS, the following topics discuss the service in greater
detail:
1
Amazon Elastic File System User Guide
Are you a first-time user of Amazon EFS?
Creating Resources for Amazon EFS (p. 19)
Managing Amazon EFS File Systems (p. 38)
Amazon EFS API (p. 168)
2
Amazon Elastic File System User Guide
Overview
Amazon EFS: How It Works
Following, you can find a description about how Amazon EFS works, its implementation details, and
security considerations.
Topics
Overview (p. 3)
How Amazon EFS Works with Amazon EC2 (p. 4)
How Amazon EFS Works with AWS Direct Connect (p. 4)
Implementation Summary (p. 5)
Authentication and Access Control (p. 6)
Data Consistency in Amazon EFS (p. 7)
Overview
Amazon EFS provides file storage in the AWS Cloud. With Amazon EFS, you can create a file system,
mount the file system on an Amazon EC2 instance, and then read and write data from to and from your
file system. You can mount an Amazon EFS file system in your VPC, through the Network File System
versions 4.0 and 4.1 (NFSv4) protocol.
For a list of Amazon EC2 Linux Amazon Machine Images (AMIs) that support this protocol, see NFS
Support (p. 62). We recommend using a current generation Linux NFSv4.1 client, such as those found
in Amazon Linux and Ubuntu AMIs. For some AMIs, you'll need to install an NFS client to mount your file
system on your Amazon EC2 instance. For instructions, see Installing the NFS Client (p. 62).
You can access your Amazon EFS file system concurrently from Amazon EC2 instances in your Amazon
VPC, so applications that scale beyond a single connection can access a file system. Amazon EC2
instances running in multiple Availability Zones within the same region can access the file system, so that
many users can access and share a common data source.
Note the following restrictions:
You can mount an Amazon EFS file system on instances in only one VPC at a time.
Both the file system and VPC must be in the same AWS Region.
For a list of AWS regions where you can create an Amazon EFS file system, see the Amazon Web Services
General Reference.
To access your Amazon EFS file system in a VPC, you create one or more mount targets in the VPC. A
mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file
system. You mount your file system using its DNS name, which will resolve to the IP address of the EFS
mount target in the same Availability Zone as your EC2 instance. You can create one mount target in
each Availability Zone in a region. If there are multiple subnets in an Availability Zone in your VPC, you
create a mount target in one of the subnets, and all EC2 instances in that Availability Zone share that
mount target.
Mount targets themselves are designed to be highly available. When designing your application for high
availability and the ability to failover to other Availability Zones, keep in mind that the IP addresses and
DNS for your mount targets in each Availability Zone are static.
3
Amazon Elastic File System User Guide
How Amazon EFS Works with Amazon EC2
After mounting the file system via the mount target, you use it like any other POSIX-compliant file
system. For information about NFS-level permissions and related considerations, see Network File
System (NFS)–Level Users, Groups, and Permissions (p. 30).
You can mount your Amazon EFS file systems on your on-premises datacenter servers when connected
to your Amazon VPC with AWS Direct Connect. You can mount your EFS file systems on on-premises
servers to migrate data sets to EFS, enable cloud bursting scenarios, or backup your on-premises data to
EFS.
Amazon EFS file systems can be mounted on Amazon EC2 instances, or on-premises through an AWS
Direct Connect connection.
How Amazon EFS Works with Amazon EC2
The following illustration shows an example VPC accessing an Amazon EFS file system. Here, EC2
instances in the VPC have file systems mounted.
In this illustration, the VPC has three Availability Zones, and each has one mount target created in it. We
recommend that you access the file system from a mount target within the same Availability Zone. Note
that one of the Availability Zones has two subnets. However, a mount target is created in only one of the
subnets. Creating this setup works as follows:
1. Create your Amazon EC2 resources and launch your Amazon EC2 instance. For more information on
Amazon EC2, see Amazon EC2 - Virtual Server Hosting.
2. Create your Amazon EFS file system.
3. Connect to your Amazon EC2 instance, and mount the Amazon EFS file system.
For detailed steps, see Getting Started with Amazon Elastic File System (p. 10).
How Amazon EFS Works with AWS Direct Connect
By using an Amazon EFS file system mounted on an on-premises server, you can migrate on-premises
data into the AWS Cloud hosted in an Amazon EFS file system. You can also take advantage of bursting,
meaning that you can move data from your on-premises servers into Amazon EFS, analyze it on a fleet of
4
Amazon Elastic File System User Guide
Implementation Summary
Amazon EC2 instances in your Amazon VPC, and then store the results permanently in your file system or
move the results back to your on-premises server.
Keep the following considerations in mind when using Amazon EFS with AWS Direct Connect:
Your on-premises server must have a Linux based operating system. We recommend Linux kernel
version 4.0 or later.
For the sake of simplicity, we recommend mounting an Amazon EFS file system on an on-premises
server using a mount target IP address instead of a DNS name.
AWS VPN is not supported for accessing an Amazon EFS file system from an on-premises server.
There is no additional cost for on-premises access to your Amazon EFS file systems. Note that you'll be
charged for the AWS Direct Connect connection to your Amazon VPC. For more information, see AWS
Direct Connect Pricing.
The following illustration shows an example of how to access an Amazon EFS file system from on-
premises (the on-premises servers have the file systems mounted).
You can use any one of the mount targets in your VPC as long as the subnet of the mount target is
reachable by using the AWS Direct Connect connection between your on-premises server and your
Amazon VPC. To access Amazon EFS from a on-premises server, you need to add a rule to your mount
target security group to allow inbound traffic to the NFS port (2049) from your on-premises server.
To create a setup like this, you do the following:
1. Establish an AWS Direct Connect connection between your on-premises data center and your Amazon
VPC. For more information on AWS Direct Connect, see AWS Direct Connect.
2. Create your Amazon EFS file system.
3. Mount the Amazon EFS file system on your on-premises server.
For detailed steps, see Walkthrough 5: Create and Mount a File System On-Premises with AWS Direct
Connect (p. 140).
Implementation Summary
In Amazon EFS, a file system is the primary resource. Each file system has properties such as ID, creation
token, creation time, file system size in bytes, number of mount targets created for the file system, and
the file system state. For more information, see CreateFileSystem (p. 170).
5
Amazon Elastic File System User Guide
Authentication and Access Control
Amazon EFS also supports other resources to configure the primary resource. These include mount
targets and tags:
Mount target – To access your file system, you must create mount targets in your VPC. Each mount
target has the following properties: the mount target ID, the subnet ID in which it is created, the file
system ID for which it is created, an IP address at which the file system may be mounted, and the
mount target state. You can use the IP address or the DNS name in your mount command. Each file
system has a DNS name of the following form.
file-system-id.efs.aws-region.amazonaws.com
You can specify this DNS name in your mount command to mount the Amazon EFS file system.
Suppose you create an efs-mount-point subdirectory off of your home directory on your EC2
instance or on-premises server. Then, you can use the mount command to mount the file system. For
example, on an Amazon Linux AMI, you can use following mount command.
$ sudo mount -t nfs -o
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 file-system-DNS-name:/
~/efs-mount-point
For more information, see Creating Mount Targets (p. 23). First, you need to install the NFS client on
your EC2 instance. The Getting Started (p. 10) exercise provides step-by-step instructions.
Tags – To help organize your file systems, you can assign your own metadata to each of the file
systems you create. Each tag is a key-value pair.
You can think of mount targets and tags as subresources that don't exist without being associated with a
file system.
Amazon EFS provides API operations for you to create and manage these resources. In addition to the
create and delete operations for each resource, Amazon EFS also supports a describe operation that
enables you to retrieve resource information. You have the following options for creating and managing
these resources:
Use the Amazon EFS console – For an example, see Getting Started (p. 10).
Use the Amazon EFS command line interface (CLI) – For an example, see Walkthrough 1: Create
Amazon EFS File System and Mount It on an EC2 Instance Using the AWS CLI (p. 110).
You can also manage these resources programmatically as follows:
Use the AWS SDKs – The AWS SDKs simplify your programming tasks by wrapping the underlying
Amazon EFS API. The SDK clients also authenticate your requests by using access keys that you
provide. For more information, see Sample Code and Libraries.
Call the Amazon EFS API directly from your application – If you cannot use the SDKs for some
reason, you can make the Amazon EFS API calls directly from your application. However, you need to
write the necessary code to authenticate your requests if you use this option. For more information
about the Amazon EFS API, see Amazon EFS API (p. 168).
Authentication and Access Control
You must have valid credentials to make Amazon EFS API requests, such as create a file system. In
addition, you must also have permissions to create or access resources. By default, when you use the root
account credentials of your AWS account you can create and access resources owned by that account.
However, we do not recommend using root account credentials. In addition, any AWS Identity and Access
Management (IAM) users and roles you create in your account must be granted permissions to create or
6
Amazon Elastic File System User Guide
Data Consistency in Amazon EFS
access resources. For more information about permissions, see Authentication and Access Control for
Amazon EFS (p. 157).
Data Consistency in Amazon EFS
Amazon EFS provides the open-after-close consistency semantics that applications expect from NFS.
In Amazon EFS, write operations will be durably stored across Availability Zones when:
An application performs a synchronous write operation (for example, using the open Linux command
with the O_DIRECT flag, or the fsync Linux command).
An application closes a file.
Amazon EFS provides stronger consistency guarantees than open-after-close semantics depending on
the access pattern. Applications that perform synchronous data access and perform non-appending
writes will have read-after-write consistency for data access.
7
Amazon Elastic File System User Guide
Sign up for AWS
Setting Up
Before you use Amazon EFS for the first time, complete the following tasks:
1. Sign up for AWS (p. 8)
2. Create an IAM User (p. 8)
Sign up for AWS
When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all
services in AWS, including Amazon EFS. You are charged only for the services that you use.
With Amazon EFS, you pay only for the storage you use. For more information about Amazon EFS usage
rates, see the Amazon Elastic File System Pricing. If you are a new AWS customer, you can get started
with Amazon EFS for free. For more information, see AWS Free Usage Tier.
If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the
following procedure to create one.
To create an AWS account
1. Open https://aws.amazon.com/, and then choose Create an AWS Account.
Note
This might be unavailable in your browser if you previously signed into the AWS
Management Console. In that case, choose Sign in to a different account, and then choose
Create a new AWS account.
2. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone
keypad.
Note your AWS account number, because you'll need it for the next task.
Create an IAM User
Services in AWS, such as Amazon EFS, require that you provide credentials when you access them, so
that the service can determine whether you have permissions to access its resources. AWS recommends
that you do not use the root credentials of your AWS account to make requests. Instead, create an IAM
user, and grant that user full access. We refer to these users as administrator users. You can use the
administrator user credentials, instead of root credentials of your account, to interact with AWS and
perform tasks, such as create a bucket, create users, and grant them permissions. For more information,
see Root Account Credentials vs. IAM User Credentials in the AWS General Reference and IAM Best
Practices in the IAM User Guide.
If you signed up for AWS but have not created an IAM user for yourself, you can create one using the IAM
console.
To create an IAM user for yourself and add the user to an Administrators group
1. Use your AWS account email address and password to sign in to the AWS Management Console as
the AWS account root user.
8
Amazon Elastic File System User Guide
Create an IAM User
2. In the navigation pane of the console, choose Users, and then choose Add user.
3. For User name, type Administrator.
4. Select the check box next to AWS Management Console access, select Custom password, and then
type the new user's password in the text box. You can optionally select Require password reset to
force the user to select a new password the next time the user signs in.
5. Choose Next: Permissions.
6. On the Set permissions for user page, choose Add user to group.
7. Choose Create group.
8. In the Create group dialog box, type Administrators.
9. For Filter, choose Job function.
10. In the policy list, select the check box for AdministratorAccess. Then choose Create group.
11. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to
see the group in the list.
12. Choose Next: Review to see the list of group memberships to be added to the new user. When you
are ready to proceed, choose Create user.
You can use this same process to create more groups and users, and to give your users access to your
AWS account resources. To learn about using policies to restrict users' permissions to specific AWS
resources, go to Access Management and Example Policies.
To sign in as this new IAM user, sign out of the AWS Management Console, and then use the following
URL, where your_aws_account_id is your AWS account number without the hyphens (for example, if your
AWS account number is 1234-5678-9012, your AWS account ID is 123456789012):
https://your_aws_account_id.signin.aws.amazon.com/console/
Enter the IAM user name and password that you just created. When you're signed in, the navigation bar
displays your_user_name@your_aws_account_id.
If you don't want the URL for your sign-in page to contain your AWS account ID, you can create an
account alias. From the IAM dashboard, click Create Account Alias and enter an alias, such as your
company name. To sign in after you create an account alias, use the following URL:
https://your_account_alias.signin.aws.amazon.com/console/
To verify the sign-in link for IAM users for your account, open the IAM console and check under AWS
Account Alias on the dashboard.
9
Amazon Elastic File System User Guide
Assumptions
Getting Started with Amazon Elastic
File System
Topics
Assumptions (p. 10)
Related Topics (p. 11)
Step 1: Create Your EC2 Resources and Launch Your EC2 Instance (p. 11)
Step 2: Create Your Amazon EFS File System (p. 15)
Step 3: Connect to Your Amazon EC2 Instance and Mount the Amazon EFS File System (p. 16)
Step 4: Sync Files from Existing File Systems to Amazon EFS Using EFS File Sync (p. 17)
Step 5: Clean Up Resources and Protect Your AWS Account (p. 18)
This Getting Started exercise shows you how to quickly create an Amazon Elastic File System (Amazon
EFS) file system, mount it on an Amazon Elastic Compute Cloud (Amazon EC2) instance in your VPC, and
test the end-to-end setup.
There are four steps you need to perform to create and use your first Amazon EFS file system:
Create your Amazon EC2 resources and launch your instance.
Create your Amazon EFS file system.
Connect to your Amazon EC2 instance and mount the Amazon EFS file system.
Clean up your resources and protect your AWS account.
Assumptions
For this exercise, we assume the following:
You're already familiar with using the Amazon EC2 console to launch instances.
Your Amazon VPC, Amazon EC2, and Amazon EFS resources are all in the same region. This guide uses
the US West (Oregon) Region (us-west-2).
You have a default VPC in the region that you're using for this Getting Started exercise. If you don't
have a default VPC, or if you want to mount your file system from a new VPC with new or existing
security groups, you can still use this Getting Started exercise as long as you configure Security Groups
for Amazon EC2 Instances and Mount Targets (p. 88).
You have not changed the default inbound access rule for the default security group.
You can use the root credentials of your AWS account to sign in to the console and try the Getting
Started exercise. However, AWS Identity and Access Management (IAM) recommends that you do not use
the root credentials of your AWS account. Instead, create an administrator user in your account and use
those credentials to manage resources in your account. For more information, see Setting Up (p. 8).
10
Amazon Elastic File System User Guide
Related Topics
Related Topics
This guide also provides a walkthrough to perform a similar Getting Started exercise using AWS
Command Line Interface (AWS CLI) commands to make the Amazon EFS API calls. For more information,
see Walkthrough 1: Create Amazon EFS File System and Mount It on an EC2 Instance Using the AWS
CLI (p. 110).
Step 1: Create Your EC2 Resources and Launch
Your EC2 Instance
Before you can launch and connect to an Amazon EC2 instance, you need to create a key pair, unless you
already have one. You can create a key pair using the Amazon EC2 console and then you can launch your
EC2 instance.
Note
Using Amazon EFS with Microsoft Windows Amazon EC2 instances is not supported.
To create a key pair
Follow the steps in Setting Up with Amazon EC2 in the Amazon EC2 User Guide for Linux Instances to
create a key pair. If you already have a key pair, you do not need to create a new one and you can use
your existing key pair for this exercise.
To launch the EC2 instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. Choose Launch Instance.
3. In Step 1: Choose an Amazon Machine Image (AMI), find the Amazon Linux AMI at the top of the
list and choose Select.
Note
If you choose either the AmazonLinuxAMI2016.03.0 or AmazonLinuxAMI2016.09.0
AMI when launching your Amazon EC2 instance, you don't need to install nfs-utils
because it's already included in the AMI by default.
4. In Step 2: Choose an Instance Type, choose Next: Configure Instance Details.
5. In Step 3: Configure Instance Details, choose Network, and then choose the entry for your default
VPC. It should look something like vpc-xxxxxxx (172.31.0.0/16) (default).
a. Choose Subnet, and then choose a subnet in any Availability Zone.
11
Amazon Elastic File System User Guide
Step 1: Create Your EC2 Resources
and Launch Your EC2 Instance
b. Choose Next: Add Storage.
6. Choose Next: Tag Instance.
7. Name your instance and choose Next: Configure Security Group.
8. In Step 6: Configure Security Group, review the contents of this page, ensure that Assign a security
group is set to Create a new security group, and verify that the inbound rule being created has the
following default values.
Type: SSH
Protocol: TCP
Port Range: 22
Source: Anywhere 0.0.0.0/0
12
Amazon Elastic File System User Guide
Step 1: Create Your EC2 Resources
and Launch Your EC2 Instance
Note
You can configure the EFS file system to mount on your EC2 instance automatically. For
more information, see Configuring an EFS File System to Mount Automatically at EC2
Instance Launch (p. 67).
9. Choose Review and Launch.
10. Choose Launch.
11. Select the check box for the key pair that you created, and then choose Launch Instances.
12. Choose View Instances.
13. Choose the name of the instance you just created from the list, and then choose Actions.
a. From the menu that opens, choose Networking and then choose Change Security Groups.
13
Amazon Elastic File System User Guide
Step 1: Create Your EC2 Resources
and Launch Your EC2 Instance
b. Select the check box next to the security group with the description default VPC security
group.
c. Choose Assign Security Groups.
Note
In this step, you assign your VPC's default security group to the Amazon EC2 instance. Doing
this ensures that the instance is a member of the security group that the Amazon EFS file
system mount target authorizes for connection in Step 2: Create Your Amazon EFS File
System (p. 15).
14
Amazon Elastic File System User Guide
Step 2: Create Your Amazon EFS File System
By using your VPC's default security group, with its default inbound and outbound rules,
you are potentially opening up this instance and this file system to potential threats from
within your VPC. Make sure that you follow Step 5: Clean Up Resources and Protect Your
AWS Account (p. 18) at the end of this Getting Started exercise to remove resources
exposed to your VPC's default security group for this example. For more information, see
Security Groups for Amazon EC2 Instances and Mount Targets (p. 88).
14. Choose your instance from the list.
15. On the Description tab, make sure that you have two entries listed next to security groups—one for
the default VPC security group and one for the security group that you created when you launched
the instance.
16. Make a note of the values listed next to VPC ID and Public DNS. You'll need those values later in this
exercise.
Step 2: Create Your Amazon EFS File System
In this step, you create your Amazon EFS file system.
To create your Amazon EFS file system
1. Open the Amazon EFS console at https://console.aws.amazon.com/efs/.
2. Choose Create File System.
3. Choose your default VPC from the VPC list. It has the same VPC ID that you noted at the end of Step
1: Create Your EC2 Resources and Launch Your EC2 Instance (p. 11).
4. Select the check boxes for all of the Availability Zones. Make sure that they all have the default
subnets, automatic IP addresses, and the default security groups chosen. These are your mount
targets. For more information, see Creating Mount Targets (p. 23).
5. Choose Next Step.
6. Name your file system, keep general purpose selected as your default performance mode, and
choose Next Step.
7. Choose Create File System.
8. Choose your file system from the list and make a note of the File system ID value. You'll need this
value for the next step.
15
Amazon Elastic File System User Guide
Step 3: Connect to Your Amazon EC2 Instance
and Mount the Amazon EFS File System
Step 3: Connect to Your Amazon EC2 Instance and
Mount the Amazon EFS File System
You can connect to your Amazon EC2 instance from a computer running Windows or Linux. To connect to
your Amazon EC2 instance and mount the Amazon EFS file system, you need the following information:
The Public DNS name of the Amazon EC2 instance. You made a note of this value at the end of Step 1:
Create Your EC2 Resources and Launch Your EC2 Instance (p. 11).
The File system ID value for the mount target for your Amazon EFS file system. You made a note of
this value at the end of Step 2: Create Your Amazon EFS File System (p. 15).
To connect to your Amazon EC2 instance and mount the Amazon EFS file system
1. Connect to your Amazon EC2 instance. For more information, see Connecting to Your Linux Instance
from Windows Using PuTTY or Connecting to Your Linux Instance Using SSH in the Amazon EC2 User
Guide for Linux Instances.
2. After you've connected, install the Network File System (NFS) client.
If you're using an Amazon Linux AMI or RedHat Linux AMI, install the NFS client with the following
command.
$ sudo yum -y install nfs-utils
If you're using an Ubuntu AMI, install the NFS client with the following command.
$ sudo apt-get -y install nfs-common
3. Make a directory for the mount point with the following command.
$ sudo mkdir efs
4. Mount the Amazon EFS file system to the directory that you created. Use the following command
and replace the file-system-id and aws-region placeholders with your File System ID value
and AWS Region, respectively.
$ sudo mount -t nfs -o
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 file-system-
id.efs.aws-region.amazonaws.com:/ efs
Note
We recommend that you wait 90 seconds after creating a mount target before you mount
the file system, as the DNS records propagate fully in the region.
5. Change directories to the new directory that you created with the following command.
$ cd efs
6. Make a subdirectory and change the ownership of that subdirectory to your EC2 instance user. Then,
navigate to that new directory with the following commands.
$ sudo mkdir getting-started
$ sudo chown ec2-user getting-started
$ cd getting-started
16
Amazon Elastic File System User Guide
Step 4: Sync Files from Existing File
Systems to Amazon EFS Using EFS File Sync
7. Create a text file with the following command.
$ touch test-file.txt
8. List the directory contents with the following command.
$ ls -al
As a result, the following file is created.
-rw-rw-r-- 1 ec2-user ec2-user 0 Aug 15 15:32 test-file.txt
Step 4: Sync Files from Existing File Systems to
Amazon EFS Using EFS File Sync
Now that you have created a functioning Amazon EFS file system, you can use EFS File Sync to sync
files from an existing file system to Amazon EFS. EFS File Sync can sync your file data, and file system
metadata such as ownership, time stamps, and access permissions.
In this step, we assume that you have the following:
A source NFS file system that you can sync from. This source system needs to be accessible over NFS
version 3 or version 4. The source file system can be on-premises or on Amazon EC2.
A destination Amazon EFS file system to sync to. If you don't have an Amazon EFS file system, create
one. For more information, see Getting Started with Amazon Elastic File System (p. 10).
To get started with EFS File Sync, do the following:
1. On the Amazon EFS Management Console, download and deploy a sync agent. For on-premises
deployment the sync agent is provided as virtual machine (VM) image for VMware ESXi. For in the
cloud deployment, you can create an Amazon EC2 instance from the community AMI.
2. Create a sync task and configure your source and destination file systems.
3. Start your sync task to begin syncing files from the source file system to the Amazon EFS file system.
4. Monitor your sync task on the Amazon EFS console or from Amazon CloudWatch. For more
information, see Monitoring EFS File Sync with Amazon CloudWatch (p. 75).
For more details on the EFS File Sync process, see the following:
For information about how to sync files from an on-premises file system to Amazon EFS, see
Walkthrough 7: Sync Files from an On-Premises File System to Amazon EFS by Using EFS File
Sync (p. 146).
For information about how to sync files from Amazon EC2 to Amazon EFS, see Walkthrough 8: Sync a
File System from Amazon EC2 to Amazon EFS Using EFS File Sync (p. 151).
17
Amazon Elastic File System User Guide
Step 5: Clean Up Resources and Protect Your AWS Account
Step 5: Clean Up Resources and Protect Your AWS
Account
This guide includes walkthroughs that you can use to further explore Amazon EFS. Before you perform
this clean-up step, you can use the resources you've created and connected to in this Getting Started
exercise in those walkthroughs. For more information, see Walkthroughs (p. 110). After you have
finished the walkthroughs or if you don't want to explore the walkthroughs, you should follow these
steps to clean up your resources and protect your AWS account.
To clean up resources and protect your AWS account
1. Connect to your Amazon EC2 instance.
2. Unmount the Amazon EFS file system with the following command.
$ sudo umount efs
3. Open the Amazon EFS console at https://console.aws.amazon.com/efs/.
4. Choose the Amazon EFS file system that you want to delete from the list of file systems.
5. For Actions, choose Delete file system.
6. In the Permanently delete file system dialog box, type the file system ID for the Amazon EFS file
system that you want to delete, and then choose Delete File System.
7. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
8. Choose the Amazon EC2 instance that you want to terminate from the list of instances.
9. For Actions, choose Instance State and then choose Terminate.
10. In Terminate Instances, choose Yes, Terminate to terminate the instance that you created for this
Getting Started exercise.
11. In the navigation pane, choose Security Groups.
12. Select the name of the security group that you created for this Getting Started exercise in Step 1:
Create Your EC2 Resources and Launch Your EC2 Instance (p. 11) as a part of the Amazon EC2
instance launch wizard.
Warning
Don't delete the default security group for your VPC.
13. For Actions, choose Delete Security Group.
14. In Delete Security Group, choose Yes, Delete to delete the security group you created for this
Getting Started exercise.
18
Amazon Elastic File System User Guide
Creating Resources for Amazon EFS
Amazon EFS provides elastic, shared file storage that is POSIX-compliant. The file system you create
supports concurrent read and write access from multiple Amazon EC2 instances and is accessible from all
of the Availability Zones in the AWS Region where it is created.
You can mount an Amazon EFS file system on EC2 instances in your Amazon Virtual Private Cloud
(Amazon VPC) using the Network File System versions 4.0 and 4.1 protocol (NFSv4). For more
information, see Amazon EFS: How It Works (p. 3).
Topics
Creating an Amazon Elastic File System (p. 20)
Creating Mount Targets (p. 23)
Creating Security Groups (p. 27)
As an example, suppose you have one or more EC2 instances launched in your VPC. Now you want to
create and use a file system on these instances. Following are the typical steps you need to perform to
use Amazon EFS file systems in the VPC:
Create an Amazon EFS file system – When creating a file system, we recommend that you consider
using the Name tag because the Name tag value appears in the console and makes it easier to identify.
You can also add other optional tags to the file system.
Create mount targets for the file system – To access the file system in your VPC and mount the file
system to your Amazon EC2 instance, you must create mount targets in the VPC subnets.
Create security groups – Both an Amazon EC2 instance and a mount target need to have associated
security groups. These security groups act as a virtual firewall that controls the traffic between them.
You can use the security group you associated with the mount target to control inbound traffic to your
file system by adding an inbound rule to the mount target security group that allows access from a
specific EC2 instance. Then, you can mount the file system only on that EC2 instance.
If you are new to Amazon EFS, we recommend that you try the following exercises that provide a first-
hand, end-to-end experience of using an Amazon EFS file system:
Getting Started (p. 10) – The Getting Started exercise provides a console-based end-to-end setup in
which you create a file system, mount it on an EC2 instance, and test the setup. The console takes care
of many things for you and helps you set up the end-to-end experience quickly.
Walkthrough 1: Create Amazon EFS File System and Mount It on an EC2 Instance Using the AWS
CLI (p. 110) – The walkthrough is similar to the Getting Started exercise, but it uses the AWS
Command Line Interface (AWS CLI) to perform most of the tasks. Because the AWS CLI commands
closely map to the Amazon EFS API, the walkthrough can help you familiarize yourself with the
Amazon EFS API operations.
For more information about creating and accessing a file system, see the following topics.
Topics
Creating an Amazon Elastic File System (p. 20)
Creating Mount Targets (p. 23)
19
Amazon Elastic File System User Guide
Creating File Systems
Creating Security Groups (p. 27)
Creating an Amazon Elastic File System
Following, you can find an explanation about how to create an Amazon EFS file system and optional tags
for the file system. This section explains how to create these resources using both the console and the
AWS Command Line Interface (AWS CLI).
Note
If you are new to Amazon EFS, we recommend you go through the Getting Started exercise,
which provides console-based end-to-end instructions to create and access a file system in your
VPC. For more information, see Getting Started (p. 10).
Topics
Requirements (p. 20)
Permissions Required (p. 20)
Creating a File System (p. 21)
Requirements
To create a file system, the only requirement is that you create a token to ensure idempotent
operation. If you use the console, it generates the token for you. For more information, see
CreateFileSystem (p. 170). After you create a file system, Amazon EFS returns the file system
description as JSON. Following is an example.
{
"SizeInBytes": {
"Value": 6144
},
"CreationToken": "console-d7f56c5f-e433-41ca-8307-9d9c0example",
"CreationTime": 1422823614.0,
"FileSystemId": "fs-c7a0456e",
"PerformanceMode" : "generalPurpose",
"NumberOfMountTargets": 0,
"LifeCycleState": "available",
"OwnerId": "231243201240"
}
If you use the console, the console displays this information in the user interface.
After creating a file system, you can create optional tags for the file system. Initially, the file system
has no name. You can create a Name tag to assign a file system name. Amazon EFS provides the
CreateTags (p. 183) operation for creating tags. Each tag is simply a key-value pair.
Permissions Required
For all operations, such as creating a file system and creating tags, a user must have AWS Identity and
Access Management permissions for the corresponding API action and resource.
You can perform any Amazon EFS operations using the root credentials of your AWS account, but using
root credentials is not recommended. If you create IAM users in your account, you can grant them
permissions for Amazon EFS actions with user policies. You can also use roles to grant cross-account
permissions. For more information about managing permissions for the API actions, see Authentication
and Access Control for Amazon EFS (p. 157).
20
Amazon Elastic File System User Guide
Creating a File System
Creating a File System
You can create a file system using the Amazon EFS console or using the AWS Command Line Interface.
You can also create file systems programmatically using AWS SDKs.
Creating a File System Using the Amazon EFS Console
The Amazon EFS console provides an integrated experience. In the console, you can specify VPC subnets
to create mount targets and optional file system tags when you create a file system.
To create the file system mount targets in your VPC, you must specify VPC subnets. The console
prepopulates the list of VPCs in your account that are in the selected AWS Region. First, you select your
VPC, and then the console lists the Availability Zones in the VPC. For each Availability Zone, you can
select a subnet from the list. After you select a subnet, you can either specify an available IP address in
the subnet or let Amazon EFS choose an address.
When creating a file system, you also choose a performance mode. There are two performance modes to
choose from—General Purpose and Max I/O. For the majority of use cases, we recommend that you use
the general purpose performance mode for your file system. For more information about the different
performance modes, see Performance Modes (p. 82).
You can enable encryption when creating a file system. If you enable encryption for your file system,
all data and metadata stored on it is encrypted. For more information about EFS encryption, see
Security (p. 88).
When you choose Create File System, the console sends a series of API requests to create the file system.
The console then sends API requests to create tags and mount targets for the file system. The following
example console shows the MyFS file system. It has the Name tag and three mount targets that are
being created. The mount target lifecycle state must be Available before you can use it to mount the file
system on an EC2 instance.
For instructions on how to create an Amazon EFS file system using the console, see Step 1: Create Your
EC2 Resources and Launch Your EC2 Instance (p. 11).
Creating a File System Using the AWS CLI
When using the AWS CLI, you create these resources in order. First, you create a file system. Then, you
can create mount targets and optional tags for the file system using corresponding AWS CLI commands.
21
Amazon Elastic File System User Guide
Creating a File System
The following examples use the adminuser as the profile parameter value. You need to use an
appropriate user profile to provide your credentials. For information about the AWS CLI, see Getting Set
Up with the AWS Command Line Interface in the AWS Command Line Interface User Guide.
To create a file system, use the Amazon EFS create-file-system CLI command (corresponding
operation is CreateFileSystem (p. 170)), as shown following.
$ aws efs create-file-system \
--creation-token creation-token \
--region aws-region \
--profile adminuser
For example, the following create-file-system command creates a file system in the us-west-2
region. The command specifies MyFirstFS as the creation token. For a list of AWS regions where you
can create an Amazon EFS file system, see the Amazon Web Services General Reference.
$ aws efs create-file-system \
--creation-token MyFirstFS \
--region us-west-2 \
--profile adminuser
After successfully creating the file system, Amazon EFS returns the file system description as JSON, as
shown in the following example.
{
"SizeInBytes": {
"Value": 6144
},
"CreationToken": "MyFirstFS",
"CreationTime": 1422823614.0,
"FileSystemId": "fs-c7a0456e",
"PerformanceMode" : "generalPurpose",
"NumberOfMountTargets": 0,
"LifeCycleState": "available",
"OwnerId": "231243201240"
}
Amazon EFS also provides the describe-file-systems CLI command (corresponding operation
is DescribeFileSystems (p. 193)) that you can use to retrieve a list of file systems in your account, as
shown following:
$ aws efs describe-file-systems \
--region aws-region \
--profile adminuser
Amazon EFS returns a list of the file systems in your AWS account created in the specified region.
To create tags, use the Amazon EFS create-tags CLI command (the corresponding API operation is
CreateTags (p. 183)). The following example command adds the Name tag to the file system.
aws efs create-tags \
--file-system-id File-System-ID \
--tags Key=Name,Value=SomeExampleNameValue \
--region aws-region \
--profile adminuser
You can retrieve a list of tags created for a file system using the describe-tags CLI command
(corresponding operation is DescribeTags (p. 203)), as shown following.
22
Amazon Elastic File System User Guide
Creating Mount Targets
aws efs describe-tags \
--file-system-id File-System-ID \
--region aws-region \
--profile adminuser
Amazon EFS returns these descriptions as JSON. The following is an example of tags returned by the
DescribeTags operation. It shows a file system as having only the Name tag.
{
"Tags": [
{
"Value": "MyFS",
"Key": "Name"
}
]
}
Creating Mount Targets
After you create a file system, you can create mount targets and then you can mount the file system on
EC2 instances in your VPC, as shown in the following illustration.
For more information about creating a file system, see Creating an Amazon Elastic File System (p. 20).
The mount target security group acts as a virtual firewall that controls the traffic. For example, it
determines which Amazon EC2 instances can access the file system. This section explains the following:
Mount target security groups and how to enable traffic.
How to mount the file system on your Amazon EC2 instance.
23
Amazon Elastic File System User Guide
Creating a Mount Target Using the Amazon EFS console
NFS-level permissions considerations.
Initially, only the root user on the Amazon EC2 instance has read-write-execute permissions on the file
system. This topic discusses NFS-level permissions and provides examples that show you how to grant
permissions in common scenarios. For more information, see Network File System (NFS)–Level Users,
Groups, and Permissions (p. 30).
You can create mount targets for a file system using the console, using AWS Command Line Interface, or
programmatically using the AWS SDKs. When using the console, you can create mount targets when you
first create a file system or after the file system is created.
Creating a Mount Target Using the Amazon EFS
console
Perform the steps in the following procedure to create a mount target using the console. As you follow
the console steps, you can also create one or more mount targets. You can create one mount target for
each Availability Zone in your VPC.
To create an Amazon EFS file system (console)
1. Sign in to the AWS Management Console and open the Amazon EFS console at https://
console.aws.amazon.com/efs/.
2. Choose Create File System.
Note
The console shows the preceding page only if you don't already have any Amazon EFS file
systems. If you have created file systems, the console shows a list of your file systems. On
the list page, choose Create File System.
3. On the Step 1: Configure File System Access page, select the VPC and the Availability Zone in the
VPC where you want the console to create one or more mount targets for the file system that you
are creating. This VPC should be the same Amazon VPC in which you created your Amazon EC2
instance in the preceding section.
a. Select a Amazon VPC from the VPC list.
24
Amazon Elastic File System User Guide
Creating a Mount Target Using the Amazon EFS console
Warning
If the Amazon VPC you want is not listed, verify the region in the global navigation in
the Amazon EFS console.
b. In the Create Mount Targets section, select all of the Availability Zones listed.
We recommend that you create mount targets in all Availability Zones. You can then mount
your file system on Amazon EC2 instances created in any of the Amazon VPC subnets.
Note
You can access a file system on an Amazon EC2 instance in one Availability Zone
by using a mount target created in another Availability Zone, but there are costs
associated with cross–Availability Zone access.
For each Availability Zone, do the following:
Choose a Subnet from the list where you want to create the mount target.
You can create one mount target in each Availability Zone. If you have multiple subnets in an
Availability Zone where you launched your Amazon EC2 instance, you don't have to create
mount target in the same subnet, it can be any subnet in the Availability Zone.
Leave IP Address select to Automatic. Amazon EFS will select one of the available IP
addresses for the mount target.
Specify the Security Group you created specifically for the mount target, or the default
security group for the default VPC. Both security groups will have the necessary inbound rule
that allows inbound access from the EC2 instance security group.
Click in the Security Group box and the console will show you the available security groups.
Here you can select a specific security group and remove the Default security group, or leave
the default in place, depending on how you configured your Amazon EC2 instance.
4. On the Step 2: Configure optional settings page, specify a value for the Name tag
(MyExampleFileSystem) and choose your performance mode.
The console prepopulates the Name tag because Amazon EFS uses its value as the file system
display name.
25
Amazon Elastic File System User Guide
Creating a Mount Target Using the Amazon EFS console
5. On the Step 3: Review and Create page, choose Create File System.
6. The console shows the newly created file system on the File Systems page. Verify that all mount
targets show the Life Cycle State as Available. It might take a few moments before the mount
26
Amazon Elastic File System User Guide
Creating a Mount Target using the AWS CLI
targets become available (you can expand/collapse the file system in the EFS console to force it to
refresh).
7. Under File system access, you'll see the file system's DNS name. Make a note of this DNS name.
In the next section, you use the DNS name to mount the file system on the Amazon EC2 instance
through the mount target. The Amazon EC2 instance on which you mount the file system can
resolve the file system's DNS name to the mount target's IP address.
Now you are ready to mount the Amazon EFS file system on an Amazon EC2 instance.
Creating a Mount Target using the AWS CLI
To create a mount target using AWS CLI, use the create-mount-target CLI command (corresponding
operation is CreateMountTarget (p. 176)), as shown following.
$ aws efs create-mount-target \
--file-system-id file-system-id \
--subnet-id subnet-id \
--security-group ID-of-the-security-group-created-for-mount-target \
--region aws-region \
--profile adminuser
After successfully creating the mount target, Amazon EFS returns the mount target description as JSON
as shown in the following example.
{
"MountTargetId": "fsmt-f9a14450",
"NetworkInterfaceId": "eni-3851ec4e",
"FileSystemId": "fs-b6a0451f",
"LifeCycleState": "available",
"SubnetId": "subnet-b3983dc4",
"OwnerId": "23124example",
"IpAddress": "10.0.1.24"
}
You can also retrieve a list of mount targets created for a file system using the describe-mount-
targets CLI command (corresponding operation is DescribeMountTargets (p. 197)), as shown
following.
$ aws efs describe-mount-targets \
--file-system-id file-system-id \
--region aws-region \
--profile adminuser
For an example, see Walkthrough 1: Create Amazon EFS File System and Mount It on an EC2 Instance
Using the AWS CLI (p. 110).
Creating Security Groups
Note
The following section is specific to Amazon EC2 and discusses how to create security groups
so you can use Secure Shell (SSH) to connect to any instances that have mounted Amazon EFS
file systems. If you're not using SSH to connect to your Amazon EC2 instances, you can skip this
section.
27
Amazon Elastic File System User Guide
Creating Security Groups Using
the AWS Management Console
Both an Amazon EC2 instance and a mount target have associated security groups. These security groups
act as a virtual firewall that controls the traffic between them. If you don't provide a security group when
creating a mount target, Amazon EFS associates the default security group of the VPC with it.
Regardless, to enable traffic between an EC2 instance and a mount target (and thus the file system), you
must configure the following rules in these security groups:
The security groups you associate with a mount target must allow inbound access for the TCP protocol
on the NFS port from all EC2 instances on which you want to mount the file system.
Each EC2 instance that mounts the file system must have a security group that allows outbound access
to the mount target on the NFS port.
For more information about security groups, see Amazon EC2 Security Groups in the Amazon EC2 User
Guide for Linux Instances.
Creating Security Groups Using the AWS
Management Console
You can use the AWS Management Console to create security groups in your VPC. To connect your
Amazon EFS file system to your Amazon EC2 instance, you'll need to create two security groups: one for
your Amazon EC2 instance and another for your Amazon EFS mount target.
1. Create two security groups in your VPC. For instructions, see Creating a Security Group in the
Amazon VPC User Guide.
2. In the VPC console, verify the default rules for these security groups. Both security groups should
have only an outbound rule that allows traffic to leave.
3. You need to authorize additional access to the security groups as follows:
a. Add a rule to the EC2 security group to allow inbound access, as shown following. Optionally,
you can restrict the Source address.
For instructions, see Adding and Removing Rules in the Amazon VPC User Guide.
b. Add a rule to the mount target security group to allow inbound access from the EC2 security
group, as shown following (where the EC2 security group is identified as the source):
28
Amazon Elastic File System User Guide
Creating Security Groups Using the AWS CLI
Note
You don't need to add an outbound rule because the default outbound rule allows all traffic
to leave (otherwise, you will need to add an outbound rule to open TCP connection on the
NFS port, identifying the mount target security group as the destination).
4. Verify that both security groups now authorize inbound and outbound access as described in this
section.
Creating Security Groups Using the AWS CLI
For an example that shows how to create security groups using the AWS CLI, see Step 1: Create Amazon
EC2 Resources (p. 112).
29
Amazon Elastic File System User Guide
Related Topics
Using File Systems
Amazon Elastic File System presents a standard file system interface that support full file system access
semantics. Using NFSv4.1, you can mount your Amazon EFS file system on any Amazon Elastic Compute
Cloud (Amazon EC2) Linux-based instance. Once mounted, you can work with the files and directories
just like you would with a local file system. For more information on mounting, see Mounting File
Systems (p. 62).
You can also use EFS File Sync to copy file from any file system to Amazon EFS. For more information on
mounting, see Amazon EFS File Sync (p. 33).
After you create a file system and mount it on your EC2 instance, there are a few things you need to
know in order to use it effectively:
Users, groups, and related NFS-Level permissions management – When you first create the file
system, there is only one root directory at /. By default, only the root user (UID 0) has read-write-
execute permissions. In order for other users to modify the file system, the root user must explicitly
grant them access. For more information, see Network File System (NFS)–Level Users, Groups, and
Permissions (p. 30).
Related Topics
Amazon EFS: How It Works (p. 3)
Getting Started (p. 10)
Walkthroughs (p. 110)
Network File System (NFS)–Level Users, Groups,
and Permissions
Topics
Example Amazon EFS File System Use Cases and Permissions (p. 31)
User and group ID permissions on files and directories within a file system (p. 32)
No Root Squashing (p. 32)
Permissions Caching (p. 33)
Changing File System Object Ownership (p. 33)
After creating a file system, by default, only the root user (UID 0) has read-write-execute permissions. In
order for other users to modify the file system, the root user must explicitly grant them access.
Amazon EFS file system objects have a Unix-style mode associated with them. This value defines the
permissions for performing actions on that object, and users familiar with Unix-style systems can easily
understand how Amazon EFS behaves with respect to these permissions.
30
Amazon Elastic File System User Guide
Example Amazon EFS File System
Use Cases and Permissions
Additionally, on Unix-style systems, users and groups are mapped to numeric identifiers, which Amazon
EFS uses to represent file ownership. File system objects (that is, files, directories, etc.) on Amazon
EFS are owned by a single owner and a single group. Amazon EFS uses these numeric IDs to check
permissions when a user attempts to access a file system object.
This section provides examples of permissions and discusses Amazon EFS–specific NFS permissions
considerations.
Example Amazon EFS File System Use Cases and
Permissions
After you create an Amazon EFS file system and mount targets for the file system in your VPC, you can
mount the remote file system locally on your Amazon EC2 instance. The mount command can mount
any directory in the file system. However, when you first create the file system, there is only one root
directory at /.
The following mount command mounts the root directory of an Amazon EFS file system, identified by
the file system DNS name, on the /efs-mount-point local directory.
sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 file-
system-id.efs.aws-region.amazonaws.com:/ efs-mount-point
Note that the root user and root group own the mounted directory.
The initial permissions mode allows:
read-write-execute permissions to the owner root
read-execute permissions to the group root
read-execute permissions to others
Note that only the root user can modify this directory. The root user can also grant other users
permissions to write to this directory. For example:
Create writable per-user subdirectories. For step-by-step instructions, see Walkthrough 3: Create
Writable Per-User Subdirectories and Configure Automatic Remounting on Reboot (p. 127).
Allow users to write to the Amazon EFS file system root. A user with root privileges can grant other
users access to the file system.
To change the Amazon EFS file system ownership to a non-root user and group, use the following:
$ sudo chown user:group /EFSroot
To change permissions of the file system to something more permissive, use the following:
$ sudo chmod 777 /EFSroot
This command grants read-write-execute privileges to all users on all EC2 instances that have the
file system mounted.
31
Amazon Elastic File System User Guide
User and group ID permissions on files
and directories within a file system
User and group ID permissions on files and
directories within a file system
Files and directories in an Amazon EFS file system support standard Unix-style read/write/execute
permissions based on the user ID and group ID asserted by the mounting NFSv4.1 client. When a user
attempts to access files and directories, Amazon EFS checks their user ID and group IDs to verify the user
has permission to access the objects. Amazon EFS also uses these IDs as the owner and group owner for
new files and directories the user creates. Amazon EFS does not examine user or group names—it only
uses the numeric identifiers.
Note
When you create a user on an EC2 instance, you can assign any numeric UID and GID to the user.
The numeric user IDs are set in the /etc/passwd file on Linux systems. The numeric group IDs
are in the /etc/group file. These files define the mappings between names and IDs. Outside of
the EC2 instance, Amazon EFS does not perform any authentication of these IDs, including the
root ID of 0.
If a user accesses an Amazon EFS file system from two different EC2 instances, depending on whether
the UID for the user is the same or different on those instances, you see different behavior as follows:
If the user IDs are the same on both EC2 instances, Amazon EFS considers them to be the same user,
regardless of the EC2 instance they use. The user experience when accessing the file system is the
same from both EC2 instances.
If the user IDs are not the same on both EC2 instances, Amazon EFS considers them to be different
users, and the user experience will not be the same when accessing the Amazon EFS file system from
the two different EC2 instances.
If two different users on different EC2 instances share an ID, Amazon EFS considers them the same
user.
You might consider managing user ID mappings across EC2 instances consistently. Users can check their
numeric ID using the id command, as shown following:
$ id
uid=502(joe) gid=502(joe) groups=502(joe)
Turn Off the ID Mapper
The NFS utilities in the operating system include a daemon called an ID Mapper that manages mapping
between user names and IDs. In Amazon Linux, the daemon is called rpc.idmapd and on Ubuntu is
called idmapd. It translates user and group IDs into names, and vice versa. However, Amazon EFS deals
only with numeric IDs. We recommend you turn this process off on your EC2 instances (on Amazon Linux
the mapper is usually disabled, in which case don't enable the ID mapper), as shown following:
$ service rpcidmapd status
$ sudo service rpcidmapd stop
No Root Squashing
When root squashing is enabled, the root user is converted to a user with limited permissions on the NFS
server.
Amazon EFS behaves like a Linux NFS server with no_root_squash. If a user or group ID is 0, Amazon
EFS treats that user as the root user, and bypasses permissions checks (allowing access and modification
to all file system objects).
32
Amazon Elastic File System User Guide
Permissions Caching
Permissions Caching
Amazon EFS caches file permissions for a small time period. As a result, there may be a brief window
where a user who had access to a file system object but the access was revoked recently can still access
that object.
Changing File System Object Ownership
Amazon EFS enforces the POSIX chown_restricted attribute. This means only the root user can
change the owner of a file system object. While the root or the owner user can change the owner group
of a file system object, unless the user is root, the group can only be changed to one that the owner user
is a member of.
Amazon EFS File Sync
Using Amazon EFS File Sync, you can easily and efficiently sync files from an existing source file system
into a destination Amazon EFS file system. The source file system can be on-premises or in the cloud.
With EFS File Sync, you can migrate file-based applications to Amazon EC2 and sync existing datasets
into Amazon EFS. EFS File Sync copies your file data, and file system metadata such as ownership,
timestamps, and access permissions.
Topics
Requirements for EFS File Sync (p. 33)
EFS File Sync Architecture (p. 36)
Requirements for EFS File Sync
Unless otherwise noted, the following are required for creating Amazon EFS File Sync.
Hardware Requirements
When deploying Amazon EFS File Sync on-premises, you must make sure that the underlying hardware
on which you are deploying the file sync VM is able to dedicate the following minimum resources:
Four virtual processors assigned to the VM.
16 GB of RAM assigned to the VM
80 GB of disk space for installation of VM image and system data
When deploying Amazon EFS File Sync on Amazon EC2, the instance size must be at least xlarge for
your Amazon EFS File Sync to function. We recommend using one of the Memory optimized r4.xlarge
instance types.
Supported Hypervisors and Host Requirements
You can choose to run EFS File Sync either on-premises as a virtual machine (VM), or in AWS as an
Amazon Elastic Compute Cloud (Amazon EC2) instance.
EFS File Sync supports the following hypervisor versions and hosts:
VMware ESXi Hypervisor (version 4.1, 5.0, 5.1, 5.5, 6.0 or 6.5)—A free version of VMware is available on
the VMware website. You will also need a VMware vSphere client to connect to the host.
33
Amazon Elastic File System User Guide
Requirements for EFS File Sync
EC2 instance—EFS File Sync provides an Amazon Machine Image (AMI) that contains the EFS File Sync
VM image. We recommend using the Memory optimized r4.xlarge instance types.
Allowing EFS File Sync Access through Firewalls and Routers
EFS File Sync requires access to the following endpoints to communicate with AWS. If you use a firewall
or router to filter or limit network traffic, you must configure your firewall and router to allow these
service endpoints for outbound communication to AWS.
The following endpoints are required by EFS File Sync.
cp-sync.$region.amazonaws.com
activation-sync.$region.amazonaws.com
ec2-*.amazonaws.com
For information about supported AWS Regions, see Amazon Elastic File System in the AWS General
Reference.
The CloudFront endpoint is required prior to activation for the sync agent to get the list of available AWS
Regions.
https://d4kdq0yaxexbo.cloudfront.net/
Network and Port Requirements
EFS File Sync requires the following ports for its operation. This section shows an illustration of the
required ports and lists the ports required by EFS File Sync.
The following illustration shows the ports to open for EFS File Sync deployed on premise.
Ports required by EFS File Sync
From To Protocol Port How Used
EFS File Sync
VM
AWS TCP 443 (HTTPS) For
communication
from EFS File
34
Amazon Elastic File System User Guide
Requirements for EFS File Sync
From To Protocol Port How Used
Sync VM to the
AWS service
endpoint. For
information
about service
endpoints,
see Allowing
EFS File Sync
Access through
Firewalls and
Routers (p. 34).
Your Web
browser
EFS File Sync
VM
TCP 80 (HTTP) By local
systems to
obtain the
sync agent
activation key.
Port 80 is only
used during
activation of
the EFS File
Sync agent.
EFS File Sync
VM does not
require port 80
to be publicly
accessible.
The required
level of access
to port 80
depends on
your network
configuration.
If you activate
your sync
agent from the
Amazon EFS
Management
Console, the
host from
which you
connect to the
console must
have access
port 80.
EFS File Sync
VM
Domain Name
Service (DNS)
server
UDP/UDP 53 (DNS) For
communication
between EFS
File Sync VM
and the DNS
server.
35
Amazon Elastic File System User Guide
EFS File Sync Architecture
From To Protocol Port How Used
EFS File Sync
VM
AWS TCP 22 (Support
channel)
Allows AWS
Support to
access your
EFS File
Sync to help
you with
troubleshooting
EFS File Sync
issues. You
don't need this
port open for
the normal
operation,
but it is
required for
troubleshooting.
EFS File Sync
VM
NTP server UDP 123 (NTP) Used by local
systems to
synchronize
VM time to the
host time.
NFS client EFS File Sync
VM
TCP/UDP 2049 (NFS) For local
systems to
connect to NFS
shares EFS File
Sync exposes.
EFS File Sync Architecture
EFS File Sync provides the following benefits:
Efficient high-performance parallel data transfer that tolerates unreliable and high-latency networks.
Encryption of data transferred from your IT environment to AWS.
Data transfer rate up to five times faster than standard Linux copy tools.
The following diagram shows the EFS File Sync architecture.
To sync your existing file system to Amazon EFS with EFS File Sync, you do the following:
36
Amazon Elastic File System User Guide
EFS File Sync Architecture
1. Deploy a sync agent that can mount your source file system. The sync agent is available on the
Amazon EFS console as a downloadable virtual machine (VM) image for VMware ESXi or an Amazon
Machine Image (AMI) for Amazon EC2.
2. Create a sync task and configure the source and destination file systems. EFS File Sync accesses your
source file system through the agent by using the Network File System version 4.1 (NFSv4.1) protocol.
3. Start your sync task to begin syncing files from the source file system to the destination Amazon EFS
file system.
4. Monitor the progress of your sync task on the Amazon EFS Management Console or from Amazon
CloudWatch.
37
Amazon Elastic File System User Guide
Managing Network Accessibility
Managing Amazon EFS File Systems
File system management tasks refer to creating and deleting file systems, managing tags, and managing
network accessibility of an existing file system. Managing network accessibility is about creating and
managing mount targets.
You can perform these file system management tasks using the Amazon EFS console, AWS Command
Line Interface (AWS CLI), or programmatically, as discussed in the following sections.
Topics
Managing File System Network Accessibility (p. 38)
Managing File System Tags (p. 45)
Metering – How Amazon EFS Reports File System and Object Sizes (p. 45)
Managing Amazon EFS File Sync (p. 47)
Deleting an Amazon EFS File System (p. 58)
Managing Access to Encrypted File Systems (p. 59)
If you are new to Amazon EFS, we recommend that you try the following exercises that provide you with
first-hand end-to-end experience using an Amazon EFS file system:
Getting Started (p. 10) – This exercise provides a console-based, end-to-end setup in which you create
a file system, mount it on an EC2 instance, and test the setup. The console takes care of many things
for you and thus helps you quickly set up the end-to-end experience.
Walkthrough 1: Create Amazon EFS File System and Mount It on an EC2 Instance Using the AWS
CLI (p. 110) – This walkthrough is similar to the Getting Started exercise, but it uses the AWS CLI
to perform most of the tasks. Because the CLI commands closely map to the Amazon EFS API, the
walkthrough can help you familiarize yourself with the Amazon EFS API.
Managing File System Network Accessibility
You mount your file system on an EC2 instance in your VPC using a mount target that you create for the
file system. Managing file system network accessibility refers to managing the mount targets.
The following illustration shows how EC2 instances in a VPC access an Amazon EFS file system using a
mount target.
38
Amazon Elastic File System User Guide
Managing Network Accessibility
The illustration shows three EC2 instances launched in different VPC subnets accessing an Amazon EFS
file system. The illustration also shows one mount target in each of the Availability Zones (regardless of
number of subnets in each Availability Zone).
You can create only one mount target per Availability Zone. If an Availability Zone has multiple subnets,
as shown in one of the zones in the illustration, you create a mount target in only one of the subnets.
As long as you have one mount target in an Availability Zone, the EC2 instances launched in any of its
subnets can share the same mount target.
Managing mount targets refers to these activities:
Creating and deleting mount targets in a VPC – At a minimum, you should create a mount target in
each Availability Zone from which you want to access the file system.
Note
We recommend you create mount targets in all the Availability Zones so you can easily mount
the file system on EC2 instances that you might launch in any of the Availability Zones.
If you delete a mount target, the operation forcibly breaks any mounts of the file system via the
mount target being deleted, which might disrupt instances or applications using those mounts. To
avoid application disruption, stop applications and unmount the file system before deleting the mount
target.
You can use a file system only in one VPC at a time. That is, you can create mount targets for the file
system in one VPC at a time. If you want to access the file system from another VPC, you must delete
the mount targets from the current VPC and then create new mount targets in another VPC.
Updating the mount target configuration – When you create a mount target, you associate security
groups with the mount target. A security group acts as a virtual firewall that controls the traffic to and
from the mount target. You can add inbound rules to control access to the mount target, and thus the
file system. After creating a mount target, you might want to modify the security groups assigned to
them.
39
Amazon Elastic File System User Guide
Creating or Deleting Mount Targets in a VPC
Each mount target also has an IP address. When you create a mount target, you can choose an IP
address from the subnet where you are placing the mount target. If you omit a value, Amazon EFS
selects an unused IP address from that subnet.
There is no Amazon EFS operation to change the IP address after creating a mount target, so you
cannot change the IP address programmatically or by using the AWS CLI. But the console enables you
to change the IP address. Behind the scenes, the console deletes the mount target and creates the
mount target again.
Warning
If you change the IP address of a mount target, you will break any existing file system mounts
and you will need to remount the file system.
None of the configuration changes to file system network accessibility affect the file system itself. Your
file system and data remain.
The following sections provide information about managing network accessibility of your file system.
Topics
Creating or Deleting Mount Targets in a VPC (p. 40)
Creating Mount Targets in Another VPC (p. 42)
Updating the Mount Target Configuration (p. 43)
Creating or Deleting Mount Targets in a VPC
To access an Amazon EFS file system in a VPC you need mount targets. For an Amazon EFS file system:
You can create one mount target in each Availability Zone.
If the VPC has multiple subnets in an Availability Zone, you can create a mount target in only one of
those subnets. All EC2 instances in the Availability Zone can share the single mount target.
Note
We recommend that you create a mount target in each of the Availability Zones. There are cost
considerations for mounting a file system on an EC2 instance in an Availability Zone through a
mount target created in another Availability Zone. For more information, see Amazon EFS. In
addition, by always using a mount target local to the instance's Availability Zone, you eliminate
a partial failure scenario. If the mount target's zone goes down, you won't be able to access your
file system through that mount target.
For more information about the operation, see CreateMountTarget (p. 176).
You can delete mount targets. Note that a mount target deletion forcibly breaks any mounts of the file
system via that mount target, which might disrupt instances or applications using those mounts. For
more information, see DeleteMountTarget (p. 188).
Using the Console
Use the following procedure to create new mount targets, delete, or update existing mount targets using
the AWS Management Console.
1. In the Amazon EFS console, select the file system, choose Actions, and then choose Manage File
System Access.
40
Amazon Elastic File System User Guide
Creating or Deleting Mount Targets in a VPC
The console displays the Manage File System Access page with a list of file system mount targets
you have created in the selected VPC. The console shows a list of Availability Zones and mount
target information, if there is a mount target in that Availability Zone.
The console shows that the file system has one mount target in the eu-west-2c Availability Zone, as
shown following:
2. To create new mount targets
a. Click on the left side in the specific Availability Zone row.
b. If the Availability Zone has multiple subnets, select a subnet from the Subnet list.
c. Amazon EFS automatically selects an available IP address, or you can provide another IP address
explicitly.
d. Choose a Security Group from the list.
For more information about security groups, see Amazon EC2 Security Groups in the Amazon
EC2 User Guide for Linux Instances.
3. To delete a mount target, choose the X next to the Availability Zone from which you want to remove
a mount target.
Using the AWS CLI
To create a mount target, use the create-mount-target AWS CLI command (corresponding operation
is CreateMountTarget (p. 176)), as shown following:
$ aws efs create-mount-target \
--file-system-id file-system-ID (for which to create the mount target) \
--subnet-id vpc-subnet-ID (in which to create mount target) \
--security-group security-group IDs (to associate with the mount target) \
--region aws-region (for example, us-west-2) \
--profile adminuser
Note that the AWS region (the region parameter) must be the VPC region.
41
Amazon Elastic File System User Guide
Creating Mount Targets in Another VPC
You can get a list of mount targets created for a file system using the describe-mount-target AWS
CLI command (corresponding operation is DescribeMountTargets (p. 197)), as shown following:
$ aws efs describe-mount-targets \
--file-system-id file-system-ID \
--region aws-region-where-file-system-exists \
--profile adminuser
Here's a sample response:
{
"MountTargets": [
{
"MountTargetId": "fsmt-52a643fb",
"NetworkInterfaceId": "eni-f11e8395",
"FileSystemId": "fs-6fa144c6",
"LifeCycleState": "available",
"SubnetId": "subnet-15d45170",
"OwnerId": "23124example",
"IpAddress": "10.0.2.99"
},
{
"MountTargetId": "fsmt-55a643fc",
"NetworkInterfaceId": "eni-14a6ae4d",
"FileSystemId": "fs-6fa144c6",
"LifeCycleState": "available",
"SubnetId": "subnet-0b05fc52",
"OwnerId": "23124example",
"IpAddress": "10.0.19.174"
}
]
}
To delete an existing mount target, use the delete-mount-target AWS CLI command (corresponding
operation is DeleteMountTarget (p. 188)), as shown following:
$ aws efs delete-mount-target \
--mount-target-id mount-target-ID-to-delete \
--region aws-region-where-mount-target-exists \
--profile adminuser
Creating Mount Targets in Another VPC
You can use an Amazon EFS file system in one VPC at a time. That is, you create mount targets in a VPC
for your file system, and use those mount targets to provide access to the file system from EC2 instances
in that VPC. To access the file system from EC2 instances in another VPC, you must first delete the mount
targets from the current VPC and then create new mount targets in another VPC.
Using the Console
1. In the Amazon EFS console, first select the file system, choose Actions, and then choose Manage
File System Access.
The console displays the Manage File System Access page with a list of mount targets you created
for the file system in a VPC. The following illustration shows a file system that has three mount
targets, one in each Availability Zones.
42
Amazon Elastic File System User Guide
Updating the Mount Target Configuration
2. To change the VPC, select another VPC from the VPC list.
The console clears all of the mount target information and lists only the Availability Zone.
3. Create mount targets in one or more Availability Zones as follows:
a. If the Availability Zone has multiple subnets, select a subnet from the Subnet list.
b. Amazon EFS automatically selects an available IP address, or you can provide another IP address
explicitly.
c. Choose the security groups that you want to associate.
For information about security groups, see Amazon EC2 Security Groups in the Amazon EC2 User
Guide for Linux Instances.
4. Choose Save.
The console first deletes the mount targets from the previous VPC and then creates new mount
targets in the new VPC that you selected.
Using the CLI
To use a file system in another VPC, you must first delete any mount targets you previously created in a
VPC and then create new mount targets in another VPC. For example AWS CLI commands, see Creating
or Deleting Mount Targets in a VPC.
Updating the Mount Target Configuration
After you create a mount target for your file system, you may want to update security groups that are
in effect. You cannot change the IP address of an existing mount target. To change IP address you must
delete the mount target and create a new one with the new address. Note that deleting a mount target
will break any existing file system mounts.
43
Amazon Elastic File System User Guide
Updating the Mount Target Configuration
Modifying the Security Group
Security groups define inbound/outbound access. When you change security groups associated with
a mount target, make sure that you authorize necessary inbound/outbound access so that your EC2
instance can communicate with the file system.
For more information about security groups, see Amazon EC2 Security Groups in the Amazon EC2 User
Guide for Linux Instances.
Using the Console
1. In the Amazon EFS console, select the file system, choose Actions, and then choose Manage File
System Access.
The console displays the Manage File System Access page with a list of Availability Zones and
mount target information, if there is a mount target in the Availability Zone.
2. In the Security Group column, you can add or remove security groups. Choose X to remove an
existing security group. Choose the Security Group box to select from other available security
groups.
If you remove all security groups, Amazon EFS assigns the VPC's default security group.
Using the CLI
To modify security groups that are in effect for a mount target, use the modify-
mount-target-security-group AWS CLI command (corresponding operation is
ModifyMountTargetSecurityGroups (p. 206)) to replace any existing security groups, as shown
following:
$ aws efs modify-mount-target-security-groups \
--mount-target-id mount-target-ID-whose-configuration-to-update \
--security-groups security-group-ids-separated-by-space \
--region aws-region-where-mount-target-exists \
--profile adminuser
44
Amazon Elastic File System User Guide
Managing Tags
Managing File System Tags
You can create new tags, update values of existing tags, or delete tags associated with a file system.
Using the Console
The console lists existing tags associated with a file system. You can add new tags, change values of
existing tags, or delete existing tags.
1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
2. Choose the file system.
3. Choose Action and then choose Manage Tags.
4. On the Manage Tags page, add or delete tags. For each new tag, provide a Key and its Value.
5. Choose Save.
Using the AWS CLI
You can use the create-tags CLI command to add new tags, delete-tags to delete existing tags,
or use the describe-tags command to retrieve tags associated with a file system. Each CLI command
corresponds to the CreateTags (p. 183), DeleteTags (p. 191), and DescribeTags (p. 203) Amazon EFS
operations.
For an example walkthrough of the AWS CLI commands that you can use to add and list tags, see Step
2.1: Create Amazon EFS File System (p. 116).
The following delete-tags command removes the tag keys test1 and test2 from the tag list of the
specified file system.
$ aws efs \
delete-tags \
--file-system-id fs-c5a1446c \
--tag-keys "test1" "test2" \
--region us-west-2 \
--profile adminuser
Metering – How Amazon EFS Reports File System
and Object Sizes
This section explains how Amazon EFS reports file system sizes and sizes of objects within a file system.
Metering Amazon EFS File System Objects
Customer-visible objects in an Amazon EFS system can be regular files, directories, symbolic links, and
special files (FIFOs and sockets). Each of these objects is metered for 2 KiB (kibibytes) of metadata (for its
inode) and one or more increments of 4 KiB of data. The following list explains the metered data size for
different types of file system objects.
Regular files – The metered data size of a regular file is the logical size of the file rounded to the next
4 KiB increment, except that it may be less for sparse files.
45
Amazon Elastic File System User Guide
Metering an Amazon EFS File System
A sparse file is a file to which data is not written to all positions of the file before its logical size is
reached. For a sparse file, if the actual storage used is less than the logical size rounded to the next 4
KiB increment, Amazon EFS reports actual storage used as the metered data size.
Directories – The metered data size of a directory is the actual storage used for the directory entries
and the data structure that holds them, rounded to the next 4 KiB increment (it does not include the
actual storage used by the file data).
Symbolic links and special files – The metered data size for these objects is always 4 KiB.
When Amazon EFS reports the space used for an object, through the NFSv4.1 space_used attribute, it
includes the object's current metered data size, but not its metadata size. There are two utilities available
for measuring the disk usage of a file, the du and stat utilities. Here's an example of how to use the du
utility, on an empty file, with the -k option to return the output in kilobytes:
$ du -k file
4 file
Here's an example of how to use the stat utility on an empty file to return the file's disk usage:
$ /usr/bin/stat --format="%b*%B" file | bc
4096
To measure the size of a directory, use the stat utility, find the Blocks value, and then multiply that
value by the block size. Here's an example of how to use the stat utility on an empty directory:
$ /usr/bin/stat --format="%b*%B" . | bc
4096
Metering an Amazon EFS File System
The metered size of an entire Amazon EFS file system is the sum of the sizes (including metadata) of all
of its current objects. The size of each object is calculated from a representative sampling that represents
the size of the object during the metered hour, for example the hour from 8:00 am to 9:00 am.
For example, an empty file contributes 6 KiB (2 KiB metadata + 4 KiB data) to the metered size of its file
system. Upon creation, a file system has a single empty root directory and therefore has a metered size
of 6 KiB.
The metered sizes of a particular file system define the usage for which the owner account is billed for
that file system for that hour.
Note
The computed metered size does not represent a consistent snapshot of the file system at any
particular time during that hour. Rather, it represents the sizes of the objects that existed in the
file system at varying times within each hour or possibly the hour before it, which are summed
to determine the file system's metered size for the hour. The metered size of a file systems is
thus eventually consistent with the metered sizes of the objects stored when there are no writes
to the file system.
This metered size for an Amazon EFS file system can be seen in the following ways:
DescribeFileSystems API – Used in SDKs, HTTP, and the AWS CLI.
File Systems table – For each file system listed in the AWS Management Console.
DF command – In Linux, the df command can be run at the terminal prompt of an EC2 instance.
46
Amazon Elastic File System User Guide
Managing EFS File Sync
Note
The metered size is also used to determine your I/O throughput baseline and burst rates. For
more information, see Throughput Scaling in Amazon EFS (p. 83).
Managing Amazon EFS File Sync
In this section, you can find information about how to manage your Amazon EFS File Sync.
Topics
Deleting a Sync Agent (p. 47)
Deleting a Sync Task (p. 47)
Understanding Sync Agent Status (p. 47)
Understanding Sync Task Status (p. 48)
Performing Tasks on the EFS File Sync VM Local Console (p. 48)
Performing Tasks on Amazon EC2 EFS File Sync Local Console (p. 55)
Deleting a Sync Agent
If you no longer need a sync agent, you can delete it from the Amazon EFS Management Console.
To delete a sync agent
1. Choose File syncs, choose Agents, and then choose the sync agent that you want to delete.
2. For Actions, choose Delete.
3. In the Confirm deletion of sync agent dialog box, choose Check box confirm deletion, and then
choose OK.
Deleting a Sync Task
If you no longer need a sync task, you can delete it from the Amazon EFS Management Console.
To delete a sync task
1. Choose File syncs, choose Tasks, and then choose the sync task that you want to delete.
2. For Actions, choose Delete.
3. In the Confirm deletion of sync task dialog box, choose Check box confirm deletion, and then
choose OK.
Understanding Sync Agent Status
The following table describes each sync agent status, and if and when you should take action based on
the status. When a sync agent is in use, it has Running status all or most of the time.
Sync Agent Status Meaning
Running The sync agent is configured properly
and is available to use. The Running
47
Amazon Elastic File System User Guide
Understanding Sync Task Status
Sync Agent Status Meaning
status is the normal running status for
a sync agent.
Offline The sync agent's VM or EC instance
is turned off or the agent is in an
unhealthy state. When the issue that
caused the unhealthy state is resolved,
the agent returns to Running status.
Understanding Sync Task Status
The following table described each sync task status, and if and when you should take action based on the
status.
Sync Task Status Meaning
Available The sync task is configured properly
and is available to be started.
Completed The task creating process has
completed.
Creating EFS File Sync is creating the sync task.
Error 
Starting The task creating process has started.
Preparing The sync task is examining the source
and destination file systems to
determine which files to sync.
Syncing EFS File Sync is syncing file from the
source file system to the destination
Amazon EFS file system.
Verifying EFS File Sync is verifying consistency
between the source and destination file
systems.
Performing Tasks on the EFS File Sync VM Local
Console
For a EFS File Sync deployed on-premises, you can perform the following maintenance tasks using the
VM host's local console.
Topics
Logging in to the Local Console Using Default Credentials (p. 49)
Configuring Your EFS File Sync Network (p. 50)
Testing Your EFS File Sync Connection to the Internet (p. 52)
Viewing Your EFS File Sync System Resource Status (p. 53)
48
Amazon Elastic File System User Guide
Performing Tasks on the EFS File Sync VM Local Console
Synchronizing Your EFS File Sync VM Time (p. 54)
Running EFS File Sync Commands on the Local Console (p. 54)
Logging in to the Local Console Using Default Credentials
When the VM is ready for you to log in, the login screen is displayed.
To log in to the EFS File Sync's local console
If this is your first time logging in to the local console, log in to the VM with the user name sguser
and password sgpassword. Otherwise, use your credentials to log in.
After you log in, you see the Amazon EFS File Sync Configuration main menu, as shown in the following
screenshot.
Note
We recommend changing the default password. You do this by running the passwd command
from the EFS File Sync Command Prompt (item 5 on the main menu). For information about
how to run the command, see Running EFS File Sync Commands on the Local Console (p. 54).
To See
Configure your network Configuring Your EFS File Sync Network (p. 50).
Test network connectivity Testing Your EFS File Sync Connection to the
Internet (p. 52).
View system resource check Viewing Your EFS File Sync System Resource
Status (p. 53).
Manage VM time Synchronizing Your EFS File Sync VM Time (p. 54).
Run Local console commands Running EFS File Sync Commands on the Local
Console (p. 54).
To shut down EFS File Sync, type 0.
To exit the configuration session, type x to exit the menu.
49
Amazon Elastic File System User Guide
Performing Tasks on the EFS File Sync VM Local Console
Configuring Your EFS File Sync Network
The default network configuration for the EFS File Sync is Dynamic Host Configuration Protocol (DHCP).
With DHCP, your EFS File Sync is automatically assigned an IP address. In some cases, you might need to
manually assign your EFS File Sync's IP as a static IP address, as described following.
To configure your EFS File Sync to use static IP addresses
1. Log in to your EFS File Sync's local console.
2. On the Amazon EFS File Sync Configuration main menu, type option 1 to begin configuring a static
IP address.
3. Choose one of the following options on the Amazon EFS File Sync Configuration menu:
To Do This
Describe network adapter Type option 1.
A list of adapter names appears, and you are
prompted to type an adapter name—for example,
eth0. If the adapter you specify is in use, the
following information about the adapter is
displayed:
Media access control (MAC) address
50
Amazon Elastic File System User Guide
Performing Tasks on the EFS File Sync VM Local Console
To Do This
IP address
• Netmask
EFS File Sync IP address
DHCP enabled status
You use the same adapter name when you
configure a static IP address (option 3) as when
you set your EFS File Sync's default route adapter
(option 5).
Configure DHCP Type option 2.
You are prompted to configure network interface
to use DHCP.
Configure a static IP address for your EFS File
Sync
Type option 3.
You are prompted to type the following
information to configure a static IP:
Network adapter name
IP address
• Netmask
Default EFS File Sync address
Primary Domain Name Service (DNS) address
Secondary DNS address
Important
If your EFS File Sync has already been
activated, you must shut it down and
restart it from the EFS File Sync console
for the settings to take effect.
If your EFS File Sync uses more than one network
interface, you must set all enabled interfaces to
use DHCP or static IP addresses.
For example, suppose your EFS File Sync VM uses
two interfaces configured as DHCP. If you later set
one interface to a static IP, the other interface is
disabled. To enable the interface in this case, you
must set it to a static IP.
If both interfaces are initially set to use static IP
addresses and you then set the EFS File Sync to
use DHCP, both interfaces will use DHCP.
51
Amazon Elastic File System User Guide
Performing Tasks on the EFS File Sync VM Local Console
To Do This
Reset all your EFS File Sync's network
configuration to DHCP
Type option 4.
All network interfaces are set to use DHCP.
Important
If your EFS File Sync has already been
activated, you must shut down and
restart your EFS File Sync from the EFS
File Sync console for the settings to take
effect.
Set your EFS File Sync's default route adapter Type option 5.
The available adapters for your EFS File Sync are
shown, and you are prompted to select one of the
adapters—for example, eth0.
View your EFS File Sync's DNS configuration Type option 6.
The IP addresses of the primary and secondary
DNS name servers are displayed.
View routing tables Type option 7.
The default route of your EFS File Sync is
displayed.
Testing Your EFS File Sync Connection to the Internet
You can use your EFS File Sync's local console to test your Internet connection. This test can be useful
when you are troubleshooting network issues with your EFS File Sync.
To test your EFS File Sync's connection to the Internet
1. Log in to your EFS File Sync's local console.
2. On the EFS File Sync Configuration main menu, type option 2 to begin testing network
connectivity.
52
Amazon Elastic File System User Guide
Performing Tasks on the EFS File Sync VM Local Console
3. The endpoint in the selected region displays either a PASSED or FAILED message, as shown
following.
Message Description
[ PASSED ] EFS File Sync has Internet connectivity.
[ FAILED ] EFS File Sync does not have Internet connectivity.
Viewing Your EFS File Sync System Resource Status
When your gateway starts, it checks its virtual CPU cores, root volume size, and RAM and determines
whether these system resources are sufficient for your EFS File Sync to function properly. You can view
the results of this check on the EFS File Sync's local console.
To view the status of a system resource check
1. Log in to your EFS File Sync's local console.
2. In the EFS File Sync Configuration main menu, type 3 to view the results of a system resource
check.
The console displays an [OK], [WARNING], or [FAIL] message for each resource as described in the
table following.
Message Description
[OK] The resource has passed the system resource
check.
[WARNING] The resource does not meet the recommended
requirements, but your EFS File Sync will continue
to function. EFS File Sync displays a message that
describes the results of the resource check.
[FAIL] The resource does not meet the minimum
requirements. Your EFS File Sync might not
function properly. EFS File Sync displays a
53
Amazon Elastic File System User Guide
Performing Tasks on the EFS File Sync VM Local Console
Message Description
message that describes the results of the resource
check.
The console also displays the number of errors and warnings next to the resource check menu
option.
The following screenshot shows a [FAIL] message and the accompanying error message.
Synchronizing Your EFS File Sync VM Time
After your EFS File Sync is deployed and running, in some scenarios the EFS File Sync VM's time can drift.
For example, if there is a prolonged network outage and your hypervisor host and EFS File Sync do not
get time updates, then the EFS File Sync VM's time will be different from the true time. When there is a
time drift, a discrepancy occurs between the stated times when operations such as snapshots occur and
the actual times that the operations occur.
For a EFS File Sync deployed on VMware ESXi, setting the hypervisor host time and synchronizing the VM
time to the host is sufficient to avoid time drift.
Running EFS File Sync Commands on the Local Console
The EFS File Sync console helps provide a secure environment for configuring and diagnosing issues with
your EFS File Sync. Using the console commands, you can perform maintenance tasks such as saving
routing tables or connecting to AWS Support.
To run a configuration or diagnostic command
1. Log in to your EFS File Sync's local console.
2. On the EFS File Sync Configuration main menu, type option 5 for Command Prompt.
3. On the EFS File Sync console, type h, and then press the Return key.
The console displays the Available Commands menu with the available commands and after the
menu a Command Prompt, as shown in the following screenshot.
54
Amazon Elastic File System User Guide
Performing Maintenance Tasks on the
file sync on Amazon EC2 Local Console
4. To learn about a command, type man + command name at the EFS File Sync Console prompt.
Performing Tasks on Amazon EC2 EFS File Sync Local
Console
Some maintenance tasks require that you log in to the local console when running a EFS File Sync
deployed on an Amazon EC2 instance. In this section, you can find information about how to log in to the
local console and perform maintenance tasks.
Topics
Logging In to Amazon EC2 EFS File Sync Local Console (p. 55)
Testing EFS File Sync Connectivity to the Internet (p. 56)
Viewing EFS File Sync System Resource Status (p. 57)
Running EFS File Sync Commands on the Local Console (p. 58)
Logging In to Amazon EC2 EFS File Sync Local Console
You can connect to your Amazon EC2 instance by using a Secure Shell (SSH) client. For detailed
information, see Connect to Your Instance in the Amazon EC2 User Guide. To connect this way, you will
need the SSH key pair you specified when you launched the instance. For information about Amazon EC2
key pairs, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide.
To log in to the EFS File Sync local console
1. Log in to your local console. If you are connecting to your EC2 instance from a Windows computer,
log in as sguser.
2. After you log in, you see the Amazon EFS File Sync Configuration main menu, as shown in the
following screenshot.
55
Amazon Elastic File System User Guide
Performing Maintenance Tasks on the
file sync on Amazon EC2 Local Console
To See
Test network connectivity Testing EFS File Sync Connectivity to the
Internet (p. 56)
View a system resource check Viewing EFS File Sync System Resource
Status (p. 57).
Run EFS File Sync console commands Running EFS File Sync Commands on the Local
Console (p. 58)
To shut down the EFS File Sync, type 0.
To exit the configuration session, type x to exit the menu.
Testing EFS File Sync Connectivity to the Internet
You can use your EFS File Sync's local console to test your Internet connection. This test can be useful
when you are troubleshooting network issues.
To test EFS File Sync's connection to the Internet
1. Log in to your EFS File Sync's local console. For instructions, see Logging In to Amazon EC2 EFS File
Sync Local Console (p. 55).
2. In the Amazon EFS File Sync Configuration main menu, type 1 to begin testing network
connectivity.
3. The endpoint in the region you select displays either a [PASSED] or [FAILED] message, as shown
following.
Message Description
[PASSED] EFS File Sync has Internet connectivity.
[FAILED] EFS File Sync does not have Internet connectivity.
56
Amazon Elastic File System User Guide
Performing Maintenance Tasks on the
file sync on Amazon EC2 Local Console
Viewing EFS File Sync System Resource Status
When your EFS File Sync starts, it checks its virtual CPU cores, root volume size, and RAM and determines
whether these system resources are sufficient for your EFS File Sync to function properly. You can view
the results of this check on the EFS File Sync's local console.
To view the status of a system resource check
1. Log in to your EFS File Sync's local console. For instructions, see Logging In to Amazon EC2 EFS File
Sync Local Console (p. 55).
2. In the Amazon EFS File Sync Configuration main menu, type 2 to view the results of a system
resource check.
The console displays an [OK], [WARNING], or [FAIL] message for each resource as described in the
table following.
Message Description
[OK] The resource has passed the system resource
check.
[WARNING] The resource does not meet the recommended
requirements, but your EFS File Sync will continue
to function. EFS File Sync displays a message that
describes the results of the resource check.
[FAIL] The resource does not meet the minimum
requirements. Your EFS File Sync might not
function properly. EFS File Sync displays a
message that describes the results of the resource
check.
The console also displays the number of errors and warnings next to the resource check menu
option.
The following screenshot shows a [FAIL] message and the accompanying error message.
57
Amazon Elastic File System User Guide
Deleting a File System
Running EFS File Sync Commands on the Local Console
The EFS File Sync local console helps provide a secure environment for configuring and diagnosing issues
with your EFS File Sync. Using the local console commands, you can perform maintenance tasks such as
saving routing tables or connecting to AWS Support.
To run a configuration or diagnostic command
1. Log in to your EFS File Sync's local console. For instructions, see Logging In to Amazon EC2 EFS File
Sync Local Console (p. 55).
2. In the Amazon EFS File Sync Configuration main menu, type 3 for EFS File Sync Console.
3. In the EFS File Sync console, type h, and then press the Return key.
The console displays the Available Commands menu with the available commands. After the menu,
a EFS File Sync Console prompt appears, as shown in the following screenshot.
4. To learn about a command, type man + command name at the EFS File Sync Console prompt.
Deleting an Amazon EFS File System
File system deletion is a destructive action that cannot be undone. You will lose the file system and any
data you have in it.
Important
You should always unmount a file system before you delete it.
58
Amazon Elastic File System User Guide
Using the Console
Using the Console
1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
2. Select the file system that you want to delete.
3. Choose Action and then choose Delete File System.
4. In Permanently Delete File System confirmation box, type the file system ID and then choose
Delete File System.
The console simplifies the file deletion for you. First it deletes the associated mount targets, and
then it deletes the file system.
Using the CLI
Before you can use the AWS CLI command to delete a file system, you must delete all of the mount
targets created for the file system.
For example AWS CLI commands, see Step 4: Clean Up (p. 121).
Related Topics
Managing Amazon EFS File Systems (p. 38)
Managing Access to Encrypted File Systems
Using Amazon EFS, you can create encrypted file systems. If you create an encrypted file system, data
and metadata is encrypted at rest. Amazon EFS uses AWS Key Management Service (AWS KMS) for key
management. When you create an encrypted file system, you specify a customer master key (CMK). The
CMK can be aws/elasticfilesystem (the AWS-managed CMK for Amazon EFS) or it can be a CMK
that you manage.
File data (that is, the contents of your files) is encrypted using the CMK you specified when you created
the file system. Metadata (that is, file names, directory names, and directory contents) is encrypted by a
key that Amazon EFS manages.
The AWS-managed CMK for your file system is used as the master key for the metadata in your file
system, for example file names, directory names, and directory contents. You own the CMK used to
encrypt file data (that is, the contents of your files).
You manage who has access to your CMKs and the contents of your encrypted file systems. This access
is controlled by both AWS Identity and Access Management (IAM) policies and AWS KMS. IAM policies
control a user's access to Amazon EFS API actions. AWS KMS key policies control a user's access to the
CMK you specified when the file system was created. For more information, see the following:
IAM Users in the IAM User Guide.
Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.
Using Grants in the AWS Key Management Service Developer Guide.
As a key administrator, you can import external keys and you can modify keys by enabling, disabling, or
deleting them. The state of the CMK that you specified when you encrypted the file system affects access
to its contents. The CMK must be in the enabled state for users to have access to the contents of an
encrypted file system.
59
Amazon Elastic File System User Guide
Performing Administrative Actions on
Amazon EFS Customer Master Keys
Performing Administrative Actions on Amazon EFS
Customer Master Keys
Following, you can find how to enable, disable, or delete the CMKs associated with your Amazon EFS file
system. You can also learn about the behavior to expect from your file system when you perform these
actions.
Disabling, Deleting, or Revoking Access to the CMK for a File
System
You can disable or delete your custom CMKs, or you can revoke Amazon EFS's access to your CMKs.
Disabling and revoking access for Amazon EFS to your keys are reversible actions. Significant caution
should be exercised when deleting CMKs. Deleting a CMK is an irreversible action.
If you disable or delete the CMK used for your mounted file system, the following is true:
That CMK can't be used as the master key for new encrypted file systems.
Existing encrypted file systems that use that CMK will stop working after a period of time.
If you revoke Amazon EFS's access to a grant for any existing mounted file system, the behavior is
the same as if you disabled or deleted the associated CMK. In other words, the encrypted file system
continues to function, but will stop working after a period of time.
To prevent access to a mounted encrypted file system that has a CMK that you've disabled, deleted, or
revoked Amazon EFS's access to, unmount the file system and delete your Amazon EFS mount targets.
You can't immediately delete an AWS KMS key, but you can instead schedule a key to be deleted. The
earliest a CMK can be deleted is seven days after the key has been scheduled for deletion. When a key is
scheduled for deletion, it behaves as if it is disabled. You can also cancel a key's scheduled deletion. For
more information on deleting a master key in AWS KMS, see Deleting Customer Master Keys in the AWS
Key Management Service Developer Guide.
The following procedure outlines how to disable a CMK.
To disable a CMK
1. Open the Encryption Keys section of the IAM console at https://console.aws.amazon.com/iam/
home#encryptionKeys.
2. For Region, choose the appropriate AWS Region. Don't use the region selector in the navigation bar
(top right corner).
3. Select the check box or boxes next to the alias of the CMK or CMKs that you want to disable.
Note
You can't disable AWS-managed CMKs, which are denoted by the orange AWS icon.
4. To disable a CMK, choose Key actions, Disable.
The following procedure outlines how to enable a CMK.
To enable a CMK
1. Open the Encryption Keys section of the IAM console at https://console.aws.amazon.com/iam/
home#encryptionKeys.
2. For Region, choose the appropriate AWS Region. Don't use the region selector in the navigation bar
(top right corner).
60
Amazon Elastic File System User Guide
Related Topics
3. Select the check box or boxes next to the alias of the CMK or CMKs that you want to enable.
Note
You can't enable AWS-managed CMKs, which are denoted by the orange AWS icon.
4. To enable a CMK, choose Key actions, Enable.
Related Topics
For more information on encrypted data and metadata at rest in Amazon EFS, see Encrypting Data and
Metadata at Rest in EFS (p. 90).
For example key policies, see Amazon EFS Key Policies for AWS KMS (p. 92).
For a list of AWS CloudTrail log entries associated with an encrypted file system, see Amazon EFS Log
File Entries for Encrypted File Systems (p. 79).
For more information on determining what accounts and services have access to your CMKs, see
Determining Access to an AWS KMS Customer Master Key in the AWS Key Management Service
Developer Guide.
61
Amazon Elastic File System User Guide
NFS Support
Mounting File Systems
In the following section, you can learn how to install the Network File System (NFS) client and how to
mount your Amazon EFS file system on an Amazon EC2 instance. You also can find an explanation of
the mount command and the available options for specifying your file system's Domain Name System
(DNS) name in the mount command. In addition, you can find how to use the file fstab to automatically
remount your file system after any system restarts.
Note
Before you can mount a file system, you must create, configure, and launch your related AWS
resources. For detailed instructions, see Getting Started with Amazon Elastic File System (p. 10).
Topics
NFS Support (p. 62)
Installing the NFS Client (p. 62)
Mounting on Amazon EC2 with a DNS Name (p. 63)
Mounting with an IP Address (p. 64)
Mounting Automatically (p. 65)
Additional Mounting Considerations (p. 68)
NFS Support
Amazon EFS supports the Network File System versions 4.0 and 4.1 (NFSv4) and NFSv4.0 protocols when
mounting your file systems on Amazon EC2 instances. While NFSv4.0 is supported, we recommend that
you use NFSv4.1. Mounting your Amazon EFS file system on your Amazon EC2 instance also requires an
NFS client that supports your chosen NFSv4 protocol.
To get the best performance out of your file system, use an Amazon EC2 Amazon Machine
Image (AMI) that includes a Linux kernel that is version 4.0 or newer. We recommend using
AmazonLinuxAMI2016.03.0 or AmazonLinuxAMI2016.09.0 as the AMI for the Amazon EC2 instance
to mount your file system to.
Note
Using Amazon EFS with Microsoft Windows Amazon EC2 instances is not supported.
Troubleshooting AMI/Kernel Versions
To troubleshoot issues related to certain AMI or kernel versions when using Amazon EFS from an EC2
instance, see Troubleshooting AMI and Kernel Issues (p. 103).
Installing the NFS Client
To mount your Amazon EFS file system on your Amazon EC2 instance, first you need to install an NFS
client. To connect to your EC2 instance and install an NFS client, you need the public DNS name of the
EC2 instance and a user name to log in. That user name is ec2-user when connecting from computers
running Linux or Windows.
62
Amazon Elastic File System User Guide
Mounting on Amazon EC2 with a DNS Name
To connect your EC2 instance and install the NFS client
1. Connect to your EC2 instance. Note the following about connecting to the instance:
To connect to your instance from a computer running Mac OS or Linux, specify the .pem file to
your SSH client with the -i option and the path to your private key.
To connect to your instance from a computer running Windows, you can use either MindTerm or
PuTTY. If you plan to use PuTTY, you need to install it and use the following procedure to convert
the .pem file to a .ppk file.
For more information, see the following topics in the Amazon EC2 User Guide for Linux Instances:
Connecting to Your Linux Instance from Windows Using PuTTY
Connecting to Your Linux Instance Using SSH
The key file cannot be publicly viewable for SSH. You can use the chmod 400 filename.pem
command to set these permissions. For more information, see Create a Key Pair.
2. (Optional) Get updates and reboot.
$ sudo yum -y update
$ sudo reboot
3. After the reboot, reconnect to your EC2 instance.
4. Install the NFS client.
If you're using an Amazon Linux AMI or Red Hat Linux AMI, install the NFS client with the following
command.
$ sudo yum -y install nfs-utils
If you're using an Ubuntu Amazon EC2 AMI, install the NFS client with the following command.
$ sudo apt-get -y install nfs-common
If you use a custom kernel (build a custom AMI), you need to include at a minimum the NFSv4.1 client
kernel module and the right NFS4 userspace mount helper.
Note
If you choose the AmazonLinuxAMI2016.03.0 or AmazonLinuxAMI2016.09.0 Amazon Linux
AMI when launching your Amazon EC2 instance, you won't need to install nfs-utils because
it's already included in the AMI by default.
Next: Mount Your File System
Use one of the following procedures to mount your file system.
Mounting on Amazon EC2 with a DNS Name (p. 63)
Mounting with an IP Address (p. 64)
Mounting Automatically (p. 65)
Mounting on Amazon EC2 with a DNS Name
You can mount an Amazon EFS file system on an Amazon EC2 instance using DNS names. You can do this
with a DNS name for the file system, or a DNS name for a mount target.
63
Amazon Elastic File System User Guide
Mounting on On-Premises Servers with a DNS Name
File system DNS name – Using the file system's DNS name is your simplest mounting option. The file
system DNS name will automatically resolve to the mount target’s IP address in the Availability Zone
of the connecting Amazon EC2 instance. You can get this DNS name from the console, or if you have
the file system ID, you can construct it using the following convention:
file-system-id.efs.aws-region.amazonaws.com
Using the file system DNS name, you can mount a file system on your Amazon EC2 instance with the
following command:
sudo mount -t nfs -o
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 file-system-id.efs.aws-
region.amazonaws.com:/ efs-mount-point
Mount target DNS name – In December 2016, we introduced file system DNS names. We continue to
provide a DNS name for each Availability Zone mount target for backward compatibility. If you delete
a mount target and then create a new one in the same Availability Zone, the DNS name for that new
mount target in that Availability Zone remains the same as the DNS name for the old mount target.
The generic form of a mount target DNS name is as follows:
availability-zone.file-system-id.efs.aws-region.amazonaws.com
For a list of regions that support Amazon EFS, see Amazon Elastic File System in the AWS General
Reference.
To be able to use a DNS name in the mount command, the following must be true:
The connecting EC2 instance must be inside a VPC and must be configured to use the DNS server
provided by Amazon. For information about Amazon DNS server, see DHCP Options Sets in the
Amazon VPC User Guide.
The VPC of the connecting EC2 instance must have DNS host names enabled. For more information,
see Viewing DNS Hostnames for Your EC2 Instance in the Amazon VPC User Guide.
Note
We recommend that you wait 90 seconds after creating a mount target before you mount the
file system, as the DNS records propagate fully in the region.
Mounting on On-Premises Servers with a DNS Name
Although you can mount your file system on your on-premises server through AWS Direct Connect with
a DNS name, we recommend using IP addresses for simplicity. To use DNS names, you need to integrate
your DNS services in your Amazon VPC with your on-premises DNS domains. Specifically, you need to
update your on-premises DNS server to forward the DNS requests for Amazon EFS mount targets to a
DNS server in the Amazon VPC over the AWS Direct Connect connection. For more information, see How
to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and
Amazon Route 53, in the AWS Security Blog.
Mounting with an IP Address
As an alternative to mounting your Amazon EFS file system with the DNS name, Amazon EC2 instances
can mount a file system using a mount target’s IP address. Mounting by IP address will work in
environments where DNS is disabled, such as VPCs with DNS hostnames disabled, and EC2-Classic
64
Amazon Elastic File System User Guide
Mounting Automatically
instances mounting using ClassicLink. For more information on ClassicLink, see ClassicLink in the Amazon
EC2 User Guide for Linux Instances.
Mounting a file system using the mount target IP address can also be configured as a fallback option for
applications configured to mount the file system using its DNS name by default. When connecting to
a mount target IP address, EC2 instances should mount using the mount target IP address in the same
Availability Zone as the connecting instance.
You can get the mount target IP address for your EFS file system through the console using the following
procedure.
To obtain the mount target IP address for your EFS file system
1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
2. Choose the Name of your EFS file system from the File systems list.
3. In the Mount targets table, identify the Availability Zone that you want to use to mount your EFS
file system to your EC2 instance.
4. Make a note of the IP address associated with your chosen Availability Zone.
You can specify the IP address of a mount target in the mount command, as shown following:
$ sudo mount -t nfs -o
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 mount-target-IP:/ ~/
efs-mount-point
Mounting Automatically
You can use the file fstab to automatically mount your Amazon EFS file system whenever the Amazon
EC2 instance it is mounted on reboots. There are two ways to set up automatic mounting. You can
65
Amazon Elastic File System User Guide
Updating an Existing EC2 Instance to Mount Automatically
update the /etc/fstab file in your EC2 instance after you connect to the instance for the first time, or
you can configure automatic mounting of your EFS file system when you create your EC2 instance.
Updating an Existing EC2 Instance to Mount
Automatically
To automatically remount your Amazon EFS file system directory when the Amazon EC2 instance
reboots, you can use the file fstab. The file fstab contains information about file systems, and the
command mount -a, which runs during instance startup, mounts the file systems listed in the fstab
file.
Note
Before you can update the /etc/fstab file of your EC2 instance, make sure that you've already
created your Amazon EFS file system and that you're connected to your Amazon EC2 instance.
For more information, see Step 2: Create Your Amazon EFS File System (p. 15) in the Amazon
EFS Getting Started exercise.
To update the /etc/fstab file in your EC2 instance
1. Connect to your EC2 instance, and open the /etc/fstab file in an editor.
2. Add the following line to the /etc/fstab file.
mount-target-DNS:/ efs-mount-point nfs4
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,_netdev 0 0
If you want to copy the contents of your /etc/fstab file between EC2 instances in different
Availability Zones (AZ), we recommend that you use the file system DNS name. You shouldn't copy
the /etc/fstab file between AZs if you're using the mount target DNS name, because then each
file system will have a unique DNS name for each Availability Zone with a mount target. For more
information about DNS names, see Mounting on Amazon EC2 with a DNS Name (p. 63).
3. Save the changes to the file.
Your EC2 instance is now configured to mount the EFS file system whenever it restarts.
Note
If your Amazon EC2 instance needs to start regardless of the status of your mounted Amazon
EFS file system, you'll want to add the nofail option to your file system's entry in your etc/
fstab file.
The line of code you added to the /etc/fstab file does the following.
Field Description
mount-target-DNS:/ The Domain Name Server (DNS) name for the file system that you want
to mount. This is the same value used in mount commands to mount the
subdirectory of your EFS file system.
efs-mount-point The mount point for the EFS file system on your EC2 instance.
nfs4 The type of file system. For EFS, this type is always nfs4.
mount options Mount options for the file system. This is a comma-separated list of the
following options:
nfsvers – Identifies the version of NFS that will be used. We
recommend 4.1 as the value for this option.
66
Amazon Elastic File System User Guide
Configuring an EFS File System to Mount
Automatically at EC2 Instance Launch
Field Description
rsize – Defines the size of the chunks for reading data between your
client and the file system in the cloud. We recommend 1048576 as the
value for this option.
wsize – Defines the size of the chunks for writing data between your
client and the file system in the cloud. We recommend 1048576 as the
value for this option.
hard – Specifies that the local applications using a file on the file
system should stop and wait for the file system to come back online if
Amazon EFS is temporarily unavailable.
timeo – Specifies the amount of time, in tenths of a second, that the
NFS client waits for a response before it retries a request to the file
system in the cloud. We recommend 600 deciseconds as the value for
this option.
retrans – Specifies the number of times the NFS client should retry a
request. We recommend 2 as the value for this option.
_netdev – This is used to prevent the Amazon EC2 instance’s kernel
from mounting the file system before the instance has network
connectivity.
For more information, see Additional Mounting Considerations (p. 68).
0A nonzero value indicates the file system should be backed up by dump.
For EFS, this value should be 0.
0The order in which fsck checks file systems at boot. For EFS file systems,
this value should be 0 to indicate that fsck should not run at startup.
Configuring an EFS File System to Mount
Automatically at EC2 Instance Launch
You can configure an Amazon EC2 instance to mount your Amazon EFS file system automatically when
it is first launched with a script that works with cloud-init. You add the script during the Launch
Instance wizard of the EC2 management console. For an example of how to launch an EC2 instance from
the console, see Getting Started (p. 10).
The script installs the NFS client and writes an entry in the /etc/fstab file that will identify the mount
target DNS name as well as the subdirectory in your EC2 instance on which to mount the EFS file system.
The script ensures the file gets mounted when the EC2 instance is launched and after each system
reboot.
For more information about the customized version of cloud-init used by Amazon Linux, see cloud-
init in the Amazon EC2 User Guide for Linux Instances.
To configure your EC2 instance to mount an EFS file system automatically at launch
1. Open the Amazon EC2 console in your web browser, and begin the Launch Instance wizard.
2. When you reach Step 3: Configure Instance Details, configure your instance details, expand the
Advanced section, and then do the following:
Paste the following script into User data. You must update the script by providing the
appropriate values for file-system-id, aws-region, and efs-mount-point:
67
Amazon Elastic File System User Guide
Additional Mounting Considerations
#cloud-config
package_upgrade: true
packages:
- nfs-utils
runcmd:
- mkdir -p /var/www/html/efs-mount-point/
- chown ec2-user:ec2-user /var/www/html/efs-mount-point/
- echo "file-system-id.efs.aws-region.amazonaws.com:/ /var/www/html/efs-mount-point
nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0" >> /
etc/fstab
- mount -a -t nfs4
If you are specifying a custom path to your mount point, as in the example, you may want to
use mkdir -p, because the -p option creates intermediate parent directories as needed. The -
chown line of the preceding example changes the ownership of the directory at the mount point
from the root user to the default Linux system user account for Amazon Linux, ec2-user. You
can specify any user with this command, or leave it out of the script to keep ownership of that
directory with the root user.
For more information about user data scripts, see Adding User Data in the Amazon EC2 User
Guide for Linux Instances.
3. Complete the Launch Instance wizard.
Note
To verify that your EC2 instance is working correctly, you can integrate these steps into the
Getting Started exercise. For more information, see Getting Started (p. 10).
Your EC2 instance is now configured to mount the EFS file system at launch.
Additional Mounting Considerations
When mounting your Amazon EFS file system on an Amazon EC2 instance, note the following additional
considerations:
We recommend the following default Linux mount option values:
rsize=1048576
wsize=1048576
hard
timeo=600
retrans=2
If you must change the IO size parameters (rsize and wsize), we recommend that you use the
largest size possible (up to 1048576) to avoid diminished performance.
If you must change the timeout parameter (timeo), we recommend that you use a value of at least
150, which is equivalent to 15 seconds. The timeo parameter is in deciseconds, so 15 seconds is equal
to 150 deciseconds.
We recommend that you use the hard mount option. However, if you use a soft mount, you need to set
the timeo parameter to at least 150 deciseconds.
Avoid setting any other mount options that are different from the defaults. For example, changing
read or write buffer sizes, or disabling attribute caching can result in reduced performance.
Amazon EFS ignores source ports. If you change Amazon EFS source ports, it doesn't have any effect.
68
Amazon Elastic File System User Guide
Unmounting File Systems
Amazon EFS does not support any of the Kerberos security variants. For example, the following will
cause a mount to fail:
$ mount -t nfs4 -o krb5p <DNS_NAME>:/ /efs/
We recommend that you mount your file system using its DNS name, which will resolve to the IP
address of the Amazon EFS mount target in the same Availability Zone as your Amazon EC2 instance. If
you use a mount target in a different Availability Zone as your Amazon EC2 instance, you will incur the
standard Amazon EC2 data transfer charges for data sent across Availability Zones, and you may see
increased latencies for file system operations.
For more mount options, and detailed explanations of the defaults, refer to the man fstab and man
nfs pages.
Unmounting File Systems
Before you delete a file system, we recommend that you unmount it from every Amazon EC2 instance
that it's connected to. You can unmount a file system on your Amazon EC2 instance by running the
umount command on the instance itself. You can't unmount an Amazon EFS file system through the AWS
CLI, the AWS Management Console, or through any of the AWS SDKs. To unmount an Amazon EFS file
system connected to an Amazon EC2 instance running Linux, use the umount command as follows:
umount ~/efs-mount-point
We recommend that you do not specify any other umount options. Avoid setting any other umount
options that are different from the defaults.
You can verify that your Amazon EFS file system has been unmounted by running the df command to
display the disk usage statistics for the file systems currently mounted on your Linux-based Amazon
EC2 instance. If the Amazon EFS file system that you want to unmounts isn’t listed in the df command
output, this means that the file system is unmounted.
Example – Identify the Mount Status of an Amazon EFS File System and Unmount It
$ df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/sda1 ext4 8123812 1138920 6884644 15% /
availability-zone.file-system-id.efs.aws-region.amazonaws.com :/ nfs4 9007199254740992 0
9007199254740992 0% /home/ec2-user/efs
$ umount ~/efs
$ df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/sda1 ext4 8123812 1138920 6884644 15% /
69
Amazon Elastic File System User Guide
Monitoring Tools
Monitoring Amazon EFS
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon
EFS and your AWS solutions. You should collect monitoring data from all of the parts of your AWS
solution so that you can more easily debug a multi-point failure if one occurs. Before you start
monitoring Amazon EFS, however, you should create a monitoring plan that includes answers to the
following questions:
What are your monitoring goals?
What resources will you monitor?
How often will you monitor these resources?
What monitoring tools will you use?
Who will perform the monitoring tasks?
Who should be notified when something goes wrong?
The next step is to establish a baseline for normal Amazon EFS performance in your environment, by
measuring performance at various times and under different load conditions. As you monitor Amazon
EFS, you should consider storing historical monitoring data. This stored data will give you a baseline to
compare against with current performance data, identify normal performance patterns and performance
anomalies, and devise methods to address issues.
For example, with Amazon EFS, you can monitor network throughput, I/O for read, write, and/
or metadata operations, client connections, and burst credit balances for your file systems. When
performance falls outside your established baseline, you might need change the size of your file system
or the number of connected clients to optimize the file system for your workload.
To establish a baseline you should, at a minimum, monitor the following items:
Your file system's network throughput.
The number of client connections to a file system.
The number of bytes for each file system operation, including data read, data write, and metadata
operations.
Monitoring Tools
AWS provides various tools that you can use to monitor Amazon EFS. You can configure some of these
tools to do the monitoring for you, while some of the tools require manual intervention. We recommend
that you automate monitoring tasks as much as possible.
Automated Monitoring Tools
You can use the following automated monitoring tools to watch Amazon EFS and report when
something is wrong:
Amazon CloudWatch Alarms – Watch a single metric over a time period that you specify, and perform
one or more actions based on the value of the metric relative to a given threshold over a number of
70
Amazon Elastic File System User Guide
Manual Monitoring Tools
time periods. The action is a notification sent to an Amazon Simple Notification Service (Amazon SNS)
topic or Auto Scaling policy. CloudWatch alarms do not invoke actions simply because they are in a
particular state; the state must have changed and been maintained for a specified number of periods.
For more information, see Monitoring with Amazon CloudWatch (p. 71).
Amazon CloudWatch Logs – Monitor, store, and access your log files from AWS CloudTrail or other
sources. For more information, see Monitoring Log Files in the Amazon CloudWatch User Guide.
Amazon CloudWatch Events – Match events and route them to one or more target functions or
streams to make changes, capture state information, and take corrective action. For more information,
see What is Amazon CloudWatch Events in the Amazon CloudWatch User Guide.
AWS CloudTrail Log Monitoring – Share log files between accounts, monitor CloudTrail log files in real
time by sending them to CloudWatch Logs, write log processing applications in Java, and validate that
your log files have not changed after delivery by CloudTrail. For more information, see Working with
CloudTrail Log Files in the AWS CloudTrail User Guide.
Manual Monitoring Tools
Another important part of monitoring Amazon EFS involves manually monitoring those items that
the Amazon CloudWatch alarms don't cover. The Amazon EFS, CloudWatch, and other AWS console
dashboards provide an at-a-glance view of the state of your AWS environment. We recommend that you
also check the log files on file system.
From the Amazon EFS console, you can find the following items for your file systems:
The current metered size
The number of mount targets
The life cycle state
CloudWatch home page shows:
Current alarms and status
Graphs of alarms and resources
Service health status
In addition, you can use CloudWatch to do the following:
Create customized dashboards to monitor the services you use
Graph metric data to troubleshoot issues and discover trends
Search and browse all your AWS resource metrics
Create and edit alarms to be notified of problems
Monitoring with Amazon CloudWatch
You can monitor file systems using Amazon CloudWatch, which collects and processes raw data from
Amazon EFS into readable, near real-time metrics. These statistics are recorded for a period of 15
months, so that you can access historical information and gain a better perspective on how your web
application or service is performing. By default, Amazon EFS metric data is automatically sent to
CloudWatch at 1-minute periods. For more information about CloudWatch, see What Are Amazon
CloudWatch, Amazon CloudWatch Events, and Amazon CloudWatch Logs? in the Amazon CloudWatch
User Guide.
Amazon CloudWatch Metrics for Amazon EFS
The AWS/EFS namespace includes the following metrics.
71
Amazon Elastic File System User Guide
Amazon CloudWatch Metrics for Amazon EFS
Metric Description
BurstCreditBalance The number of burst credits that a file system has.
Burst credits allow a file system to burst to throughput levels above a
file system’s baseline level for periods of time. For more information, see
Throughput scaling in Amazon EFS.
The Minimum statistic is the smallest burst credit balance for any minute
during the period. The Maximum statistic is the largest burst credit balance
for any minute during the period. The Average statistic is the average burst
credit balance during the period.
Units: Bytes
Valid statistics: Minimum, Maximum, Average
ClientConnections The number of client connections to a file system. When using a standard
client, there is one connection per mounted Amazon EC2 instance.
Note
To calculate the average ClientConnections for periods greater
than one minute, divide the Sum statistic by the number of minutes
in the period.
Units: Count of client connections
Valid statistics: Sum
DataReadIOBytes The number of bytes for each file system read operation.
The Sum statistic is the total number of bytes associated with read
operations. The Minimum statistic is the size of the smallest read operation
during the period. The Maximum statistic is the size of the largest read
operation during the period. The Average statistic is the average size of
read operations during the period. The SampleCount statistic provides a
count of read operations.
Units:
Bytes for Minimum, Maximum, Average, and Sum.
Count for SampleCount.
Valid statistics: Minimum, Maximum, Average, Sum, SampleCount
DataWriteIOBytes The number of bytes for each file write operation.
The Sum statistic is the total number of bytes associated with write
operations. The Minimum statistic is the size of the smallest write operation
during the period. The Maximum statistic is the size of the largest write
operation during the period. The Average statistic is the average size of
write operations during the period. The SampleCount statistic provides a
count of write operations.
Units:
Bytes are the units for the Minimum, Maximum, Average, and Sum
statistics.
72
Amazon Elastic File System User Guide
Amazon CloudWatch Metrics for Amazon EFS
Metric Description
Count for SampleCount.
Valid statistics: Minimum, Maximum, Average, Sum, SampleCount
MetadataIOBytes The number of bytes for each metadata operation.
The Sum statistic is the total number of bytes associated with metadata
operations. The Minimum statistic is the size of the smallest metadata
operation during the period. The Maximum statistic is the size of the largest
metadata operation during the period. The Average statistic is the size
of the average metadata operation during the period. The SampleCount
statistic provides a count of metadata operations.
Units:
Bytes are the units for the Minimum, Maximum, Average, and Sum
statistics.
Count for SampleCount.
Valid statistics: Minimum, Maximum, Average, Sum, SampleCount
PercentIOLimit Shows how close a file system is to reaching the I/O limit of the General
Purpose performance mode. If this metric is at 100% more often than
not, consider moving your application to a file system using the Max I/O
performance mode.
Note
This metric is only submitted for file systems using the General
Purpose performance mode.
Units:
• Percent
PermittedThroughput The maximum amount of throughput a file system is allowed, given the file
system size and BurstCreditBalance. For more information, see Amazon
EFS Performance.
The Minimum statistic is the smallest throughput permitted for any
minute during the period. The Maximum statistic is the highest throughput
permitted for any minute during the period. The Average statistic is the
average throughput permitted during the period.
Units: Bytes per second
Valid statistics: Minimum, Maximum, Average
73
Amazon Elastic File System User Guide
Bytes Reported in CloudWatch
Metric Description
TotalIOBytes The number of bytes for each file system operation, including data read,
data write, and metadata operations.
The Sum statistic is the total number of bytes associated with all file system
operations. The Minimum statistic is the size of the smallest operation
during the period. The Maximum statistic is the size of the largest operation
during the period. The Average statistic is the average size of an operation
during the period. The SampleCount statistic provides a count of all
operations.
Note
To calculate the average operations per second for a period, divide
the SampleCount statistic by the number of seconds in the period.
To calculate the average throughput (Bytes per second) for a
period, divide the Sum statistic by the number of seconds in the
period.
Units:
Bytes for Minimum, Maximum, Average, and Sum statistics.
Count for SampleCount.
Valid statistics: Minimum, Maximum, Average, Sum, SampleCount
Bytes Reported in CloudWatch
As with Amazon S3 and Amazon EBS, Amazon EFS CloudWatch metrics are reported as raw Bytes.
Bytes are not rounded to either a decimal or binary multiple of the unit. Keep this in mind when
calculating your burst rate using the data you get from the metrics. For more information on bursting,
see Throughput Scaling in Amazon EFS (p. 83).
Amazon EFS Dimensions
Amazon EFS metrics use the EFS namespace and provides metrics for a single dimension,
FileSystemId. A file system's ID can be found in the Amazon EFS management console, and it takes
the form of fs-XXXXXXXX.
How Do I Use Amazon EFS Metrics?
The metrics reported by Amazon EFS provide information that you can analyze in different ways. The
list below shows some common uses for the metrics. These are suggestions to get you started, not a
comprehensive list.
How do I? Relevant Metrics
How can I determine my
throughput?
You can monitor the daily Sum statistic of the TotalIOBytes metric to see
your throughput.
How can I track the
number of Amazon
EC2 instances that are
You can monitor the Sum statistic of the ClientConnections metric. To
calculate the average ClientConnections for periods greater than one
minute, divide the sum by the number of minutes in the period.
74
Amazon Elastic File System User Guide
Monitoring EFS File Sync
How do I? Relevant Metrics
connected to a file
system?
How can I see my burst
credit balance?
You can see your balance by monitoring the BurstCreditBalance metric
for your file system. For more information on bursting and burst credits, see
Throughput Scaling in Amazon EFS (p. 83).
Monitoring EFS File Sync with Amazon CloudWatch
You can monitor EFS File Sync using Amazon CloudWatch, which collects and processes raw data from
Amazon EFS into readable, near real-time metrics. These statistics are recorded for a period of 15
months, so that you can access historical information and gain a better perspective on how EFS File Sync.
By default, EFS File Sync metric data is automatically sent to CloudWatch at 5-minute periods. For more
information about CloudWatch, see What Are Amazon CloudWatch, Amazon CloudWatch Events, and
Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.
The AWS/FileSync namespace includes the following metrics.
Metric Description
FilesTransferred The number of files and directories transferred from source file system
to the Amazon EFS file system. A file or directory is considered to be
transferred if any aspect of the or directory required syncing. and
increments this metric. In this case, this metric is incremented. However, if
only metadata is changed then no actual data will be transferred.
units: Count
PhysicalBytesTransferredThe total number of bytes transferred over the network when the sync
agent reads from the source file system to the Amazon EFS file system.
Unit: Bytes
LogicalBytesTransferredThe total size of the files transferred to the Amazon EFS file system.
Directories and metadata are not included in this metric.
Units: Bytes
Amazon EFS File Sync Dimensions
EFS File Sync metrics use the AWS/FileSync namespace and provide metrics for the following
dimensions.
HostId—the unique ID of your host server.
HostName—the name or domain of your host server.
SyncSetId—the ID of the sync set. It takes the form set-12345678912345678
Access CloudWatch Metrics
There are many ways to see the Amazon EFS metrics for CloudWatch. You can view them through the
CloudWatch console, or you can access them using the CloudWatch CLI or the CloudWatch API. The
following procedures show you how to access the metrics using these various tools.
75
Amazon Elastic File System User Guide
Creating Alarms
To view metrics using the CloudWatch console
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2. In the navigation pane, choose Metrics.
3. Select the EFS namespace.
4. (Optional) To view a metric, type its name in the search field.
5. (Optional) To filter by dimension, select FileSystemId.
To access metrics from the AWS CLI
Use the list-metrics command with the --namespace "AWS/EFS" namespace. For more
information, see the AWS Command Line Interface Reference.
To access metrics from the CloudWatch API
Call GetMetricStatistics. For more information, see Amazon CloudWatch API Reference.
Creating CloudWatch Alarms to Monitor Amazon EFS
You can create a CloudWatch alarm that sends an Amazon SNS message when the alarm changes state.
An alarm watches a single metric over a time period you specify, and performs one or more actions
based on the value of the metric relative to a given threshold over a number of time periods. The action
is a notification sent to an Amazon SNS topic or Auto Scaling policy.
Alarms invoke actions for sustained state changes only. CloudWatch alarms don't invoke actions simply
because they are in a particular state; the state must have changed and been maintained for a specified
number of periods.
Note
One important use of CloudWatch alarms for Amazon EFS is with file system encryption.
You can enable encryption for an Amazon EFS file system when it's created. To enforce data
encryption policies for Amazon EFS file systems, you can use Amazon CloudWatch and AWS
CloudTrail to detect the creation of a file system and verify that encryption is enabled. For
more information, see Walkthrough 6: Enforcing Encryption on an Amazon EFS File System at
Rest (p. 144).
The following procedures outline how to create alarms for Amazon EFS.
To set alarms using the CloudWatch console
1. Sign in to the AWS Management Console and open the CloudWatch console at https://
console.aws.amazon.com/cloudwatch/.
2. Choose Create Alarm. This launches the Create Alarm Wizard.
3. Choose EFS Metrics and scroll through the Amazon EFS metrics to locate the metric you want to
place an alarm on. To display just the Amazon EFS metrics in this dialog box, search on the file
system id of your file system. Select the metric to create an alarm on and choose Next.
4. Fill in the Name, Description, Whenever values for the metric.
5. If you want CloudWatch to send you an email when the alarm state is reached, in the Whenever this
alarm: field, choose State is ALARM. In the Send notification to: field, choose an existing SNS topic.
If you select Create topic, you can set the name and email addresses for a new email subscription
list. This list is saved and appears in the field for future alarms.
Note
If you use Create topic to create a new Amazon SNS topic, the email addresses must be
verified before they receive notifications. Emails are only sent when the alarm enters an
76
Amazon Elastic File System User Guide
Logging Amazon EFS API Calls with AWS CloudTrail
alarm state. If this alarm state change happens before the email addresses are verified, they
do not receive a notification.
6. At this point, the Alarm Preview area gives you a chance to preview the alarm you’re about to
create. Choose Create Alarm.
To set an alarm using the AWS CLI
Call put-metric-alarm. For more information, see AWS Command Line Interface Reference.
To set an alarm using the CloudWatch API
Call PutMetricAlarm. For more information, see Amazon CloudWatch API Reference
Logging Amazon EFS API Calls with AWS
CloudTrail
Amazon EFS is integrated with AWS CloudTrail, a service that captures AWS API calls and delivers the
log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the Amazon EFS
console, the AWS CLI, or one of the AWS SDKs to the Amazon EFS API operations. Using the information
collected by CloudTrail, you can determine the request that was made to Amazon EFS, the source IP
address from which the request was made, who made the request, when it was made, and more.
Once you've created a trail, it starts logging events automatically for that region. It can take about 15
minutes for the logs to appear in the bucket. To learn more about CloudTrail, including how to configure
and enable it, see the AWS CloudTrail User Guide.
Amazon EFS Information in CloudTrail
When CloudTrail logging is enabled in your AWS account, API calls made to Amazon EFS are tracked in
CloudTrail log files, where they are written with other AWS service records. CloudTrail determines when
to create and write to a new log file based on a time period and file size.
All Amazon EFS API calls (p. 168) are logged by CloudTrail. For example, calls to the
CreateFileSystem, CreateMountTarget and CreateTags actions generate entries in the CloudTrail
log files.
Each log file contains at least one API call. Some Amazon EFS API calls will trigger other API calls
for other services. For example, the Amazon EFS CreateMountTarget API call will trigger a
CreateNetworkInterface Amazon EC2 API call. For more information on which Amazon EFS API
actions will trigger API calls in other services, see the Required Permissions (API Actions) column of the
table in Amazon EFS API Permissions: Actions, Resources, and Conditions Reference (p. 165).
Every log entry contains information about who generated the request. The user identity information in
the log entry helps you determine the following:
Whether the request was made with root or IAM user credentials
Whether the request was made with temporary security credentials for a role or federated user
Whether the request was made by another AWS service
For more information, see the CloudTrail userIdentity Element.
77
Amazon Elastic File System User Guide
Understanding Amazon EFS Log File Entries
You can store your log files in your Amazon S3 bucket for as long as you want, but y