You can pretty much think of AWS EFS as a shared drive that you can access on a network, much like Windows folder sharing and Samba folder sharing.
Here I will be showing to create and connect to an EFS (via standard mount and via an access point) using Ubuntu and Amazon Linux.
A typical use case if you are running an AWS ECS cluster with multiple containers and those containers use a shared file system for example to store user uploaded images.
Create your EFS
Once created, click Attach
Make sure your instance is in the same VPC.
If you mounting via IP, make sure to select which subnet your instance is located.
| EFS mount type | NFS mount type | |
| Standard mount & DNS | Yes | Yes |
| Standard mount & IP | Yes | Yes |
| Access point mount & DNS | Yes | No |
| Access point mount & IP | Not supported | Not supported |
There are 3 ways to mount an EFS:
Using DNS and efs mount type
sudo mount -t efs -o tls fs-0585257d6216aa733:/ efs
Using DNS and nfs mount type
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-0585257d6216aa733.efs.ap-southeast-1.amazonaws.com:/ efs
Using IP and nfs mount typesudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 172.31.43.35:/ efs
If you are using an EFS access point, only efs mount type is available.
| Amazon Linux | Ubuntu | |
| EFS mount type | yum install amazon-efs-utils | Build from source |
| NFS mount type | Built in (no need to install anything) | apt install nfs-common |
In Amazon Linux, you need to install amazon-efs-utils if you want to use efs mount type.
yum install amazon-efs-utilsIn Ubuntu you need to install nfs-common to use nfs mount type and need to build amazon-efs-utils from source to use efs mount type.
apt install nfs-commonTo build amazon-efs-utils for Ubuntu, follow the guide provided by AWS. It looks something like this
apt update
apt install git binutils
git clone https://github.com/aws/efs-utils
cd efs-utils/
./build-deb.sh
apt install ./build/amazon-efs-utils-1.35.0-1_all.debOnce you have everything prepared (either efs or nfs or both) we can start mounting.
Create a folder called storage and mount (using one of the methods described above)
mkdir storage
mount -t efs -o tls fs-0585257d6216aa733:/ storageAt this point if it seems to not wanting to mount, for example takes a long time then timing out, this is an indication that your security group is wrong. The instance (or more precisely the instance’s network interface) is unable to send data packets to the EFS. Usually there is a default security group, which allows traffic from within that VPC. Here what it looks like on mine, you need to add that security group.
Once you are able to mount, let’s create a folder structure and some files.
mkdir -p storage/one/two/three storage/a storage/b
touch storage/root.txt storage/a/file-a.txt storage/b/file-b.txt storage/one/two/three/in-three.txtMount the same EFS on another folder in the same instance or use another instance to mount. You should see the same folders and files. Here I am mounting it in folder storage-one and folder storage-two.
# tree storage-one
storage-one
├── a
│ └── file-a.txt
├── b
│ └── file-b.txt
├── one
│ └── two
│ └── three
│ └── in-three.txt
└── root.txt
5 directories, 4 files
# touch storage-one/just-created-this-file.txt
# tree storage-two
storage-two
├── a
│ └── file-a.txt
├── b
│ └── file-b.txt
├── just-created-this-file.txt
├── one
│ └── two
│ └── three
│ └── in-three.txt
└── root.txt
5 directories, 5 filesThere is also a concept of EFS access point. With an access point, you can restrict users of that access point to be confined to a certain folder and its subfolders only (it’s like being in a chroot jail if you’re familiar with the concept of chroot). For example if you have this folder structure
.
├── a <-- EFS access point storage-a is set to folder a/
│ └── file-a.txt
├── b
│ └── file-b.txt
├── just-created-this-file.txt
├── one
│ ├── in-one.txt
│ └── two <- EFS access point storage-two is set to folder one/two/
│ ├── in-two.txt
│ └── three
│ └── in-three.txt
└── root.txt
A user mounting access point storage-a to /media/storage-a and doing a tree /media/storage-a or ls -lR /media/storage-a would see this
[root@ironkore-amz media]# sudo mount -t efs -o tls,accesspoint=fsap-0bae839aa314edb9b fs-0585257d6216aa733:/ storage-a
[root@ironkore-amz media]# cd storage-a
[root@ironkore-amz storage-a]# tree
.
└── file-a.txtA user mounting access point storage-b to /media/storage-b and doing a tree /media-storage-b or ls -lR /media/storage-b would see this
[root@ironkore-amz media]# sudo mount -t efs -o tls,accesspoint=fsap-057f27565bede050a fs-0585257d6216aa733:/ storage-b
[root@ironkore-amz media]# cd storage-b
[root@ironkore-amz storage-b]# tree
.
├── in-two.txt
└── three
└── in-three.txtAn EFS access point also has the ability to to use a certain user ID and group ID for all file operations done on the access point. Let’s say you are creating a file as root (user ID 0) but if you have setup the access point to use user ID 1000, the file will be created as if user ID 1000 has created it.
In my EC2 instances, by looking at /etc/passwd I can see that in Amazon Linux user ID 100 is the user ec2-user, while in Ubuntu, user ID 1000 is the user ubuntu. Since I setup the access point to use user ID 1000. In Amazon Linux I will see that the file was created by user ec2-user, while in Ubuntu I will see the file was created by user ubuntu (if there is no mapping for user ID 1000, then it will just show up as the number 1000). Note that if you are using this feature, make sure that the folder itself is readable/writeable from the perspective of a user ID 1000 (i.e. if you want to be read-only, then make it read-only for user ID 1000, if you want to make it read-write, then make the file permissions read-write for user ID 1000 using chmod).
Even though I am root and I’ve mounted storage-b, when I try to create a file, it was denied, because it was trying to create the file using user ID 1000 and group ID 1000, since I am accessing it via EFS access point storage-b.
[root@ironkore-amz storage-b]# ls -al
total 12
drwxr-xr-x. 3 root root 6144 Oct 11 23:17 .
drwxr-xr-x. 7 root root 90 Oct 12 10:09 ..
-rw-r--r--. 1 root root 0 Oct 11 23:17 in-two.txt
drwxr-xr-x. 2 root root 6144 Oct 11 15:07 three
[root@ironkore-amz storage-b]# whoami
root
[root@ironkore-amz storage-b]# touch created-in-amazon-linux-by-root.txt
touch: cannot touch 'created-in-amazon-linux-by-root.txt': Permission deniedLet’s chown to 1000:1000
[root@ironkore-amz efs]# tree
.
├── a
│ └── file-a.txt
├── b
│ └── file-b.txt
├── just-created-this-file.txt
├── one
│ ├── in-one.txt
│ └── two
│ ├── in-two.txt
│ └── three
│ └── in-three.txt
└── root.txt
5 directories, 7 files
[root@ironkore-amz efs]# chown 1000:1000 -R one/twoAnd try again using storage-b, it is now a success. And as you can see it created the file “created-in-amazon-linux-by_root.txt” as user ec2-user (which in this Linux host is user ID 1000), even though I am root.
[root@ironkore-amz storage-b]# cd /media/storage-b
[root@ironkore-amz storage-b]# ls -al
total 12
drwxr-xr-x. 3 ec2-user ec2-user 6144 Oct 11 23:17 .
drwxr-xr-x. 8 root root 101 Oct 12 10:12 ..
-rw-r--r--. 1 ec2-user ec2-user 0 Oct 11 23:17 in-two.txt
drwxr-xr-x. 2 ec2-user ec2-user 6144 Oct 11 15:07 three
[root@ironkore-amz storage-b]# touch created-in-amazon-linux-by-root.txt
[root@ironkore-amz storage-b]# ls -al
total 16
drwxr-xr-x. 3 ec2-user ec2-user 6144 Oct 12 10:15 .
drwxr-xr-x. 8 root root 101 Oct 12 10:12 ..
-rw-r--r--. 1 ec2-user ec2-user 0 Oct 12 10:15 created-in-amazon-linux-by-root.txt
-rw-r--r--. 1 ec2-user ec2-user 0 Oct 11 23:17 in-two.txt
drwxr-xr-x. 2 ec2-user ec2-user 6144 Oct 11 15:07 threeIf I mount this EFS access point using Ubuntu (which user ID 1000 is the user ubuntu). I will see this
root@noktis-ubuntu:/media# sudo mount -t efs -o tls,accesspoint=fsap-057f27565bede050a fs-0585257d6216aa733:/ storage-b
root@noktis-ubuntu:/media# cd storage-b
root@noktis-ubuntu:/media/storage-b# ls -al
total 20
drwxr-xr-x 3 ubuntu ubuntu 6144 Oct 12 10:15 .
drwxr-xr-x 3 root root 4096 Oct 12 10:18 ..
-rw-r--r-- 1 ubuntu ubuntu 0 Oct 12 10:15 created-in-amazon-linux-by-root.txt
-rw-r--r-- 1 ubuntu ubuntu 0 Oct 11 23:17 in-two.txt
drwxr-xr-x 2 ubuntu ubuntu 6144 Oct 11 15:07 three