Creating file system policies - Amazon Elastic File System
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating file system policies

You can create a file system policy by using the Amazon EFS console or by using the Amazon CLI. You can also create a file system policy programmatically by using Amazon SDKs or the Amazon EFS API directly. EFS file system policies have a 20,000 character limit. For more information about using an EFS file system policy and examples, see Using IAM to control file system data access.

Note

Amazon EFS file system policy changes can take several minutes to take effect.

  1. Open the Amazon Elastic File System console at https://console.amazonaws.cn/efs/.

  2. Choose File Systems.

  3. On the File systems page, choose the file system that you want to edit or create a file system policy for. The details page for that file system is displayed.

  4. Choose File system policy, then choose Edit. The File system policy page appears.

    The File system policy editor is where you create and edit file system policies in the Amazon EFS console.

  5. In Policy options, you can choose any combination of the preconfigured file system policies:

    • Prevent root access by default – This option removes ClientRootAccess from the set of allowed EFS actions.

    • Enforce read-only access by default – This option removes ClientWriteAccess from the set of allowed EFS actions.

    • Prevent anonymous access – This option removes ClientMount from the set of allowed EFS actions.

    • Enforce in-transit encryption for all clients – This option denies access to unencrypted clients.

    When you choose a preconfigured policy, the policy JSON object is displayed in the Policy editor pane.

  6. Use Grant additional permissions to grant file system permissions to additional IAM principals, including another Amazon Web Services account. Choose Add, and enter the principal ARN of the entity that you are granting permissions to. Then choose the Permissions that you want to grant. The additional permissions are shown in the Policy editor.

  7. You can use the Policy editor to customize a preconfigured policy or to create your own file system policy. When you use the editor, the preconfigured policy options become unavailable. To clear the current file system policy and start creating a new policy, choose Clear.

    When you clear the editor, the preconfigured policies become available once again.

  8. After you complete editing the policy, choose Save.

In the following example, the put-file-system-policy CLI command creates a file system policy that allows the specified Amazon Web Services account read-only access to the EFS file system. The equivalent API command is PutFileSystemPolicy.

aws efs put-file-system-policy --file-system-id fs-01234567 --policy '{
    "Id": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount"
            ],
            "Principal": {
                "AWS": "arn:aws-cn:iam::111122223333:root"
            }
        }                                                                                                 
    ]
}'
{
    "FileSystemId": "fs-01234567",
    "Policy": "{
    "Version" : "2012-10-17",
    "Id" : "1",
    "Statement" : [
        {
           "Sid" : "efs-statement-7c8d8687-1c94-4fdc-98b7-555555555555",
           "Effect" : "Allow",
           "Principal" : {
              "AWS" : "arn:aws-cn:iam::111122223333:root"
           },
           "Action" : [ 
              "elasticfilesystem:ClientMount" 
           ],
           "Resource" : "arn:aws-cn:elasticfilesystem:us-east-2:555555555555:file-system/fs-01234567"
           } 
        ]
    }
}