Using VPC security groups - Amazon Elastic File System
Source portsSecurity considerations for network accessCreating security groups
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using VPC security groups

When using Amazon EFS, you specify VPC security groups for your EC2 instances and security groups for the EFS mount targets associated with the file system. A security group acts as a firewall, and the rules that you add define the traffic flow. In the Getting started exercise, you created one security group when you launched the EFS instance. You then associated another with the EFS mount target (that is, the default security group for your default VPC). That approach works for the Getting started exercise. However, for a production system, you should set up security groups with minimal permissions for use with Amazon EFS.

You can authorize inbound and outbound access to your EFS file system. To do so, you add rules that allow EFS instances to connect to your EFS file system through the mount target using the Network File System (NFS) port.

  • Each EC2 instance that mounts the file system must have a security group with a rule that allows outbound access to the mount target on the NFS port.

  • The EFS mount target needs to have a security group with a rule that allows inbound access from each EC2 instance on which you want to mount the file system.

Source ports for working with Amazon EFS

To support a broad set of NFS clients, Amazon EFS allows connections from any source port. If you require that only privileged users can access Amazon EFS, we recommend using the following client firewall rule. Connect to your file system using SSH and run the following command:

iptables -I OUTPUT 1 -m owner --uid-owner 1-4294967294 -m tcp -p tcp --dport 2049 -j DROP

This command inserts a new rule at the start of the OUTPUT chain (-I OUTPUT 1). The rule prevents any unprivileged, nonkernel process (-m owner --uid-owner 1-4294967294) from opening a connection to the NFS port (-m tcp -p tcp –dport 2049).

Security considerations for network access

An NFS version 4.1 (NFSv4.1) client can only mount a file system if it can make a network connection to the NFS port (TCP port 2049) of one of the file system's mount targets. Similarly, an NFSv4.1 client can only assert a user and group ID when accessing a file system if it can make this network connection.

Whether you can make this network connection is governed by a combination of the following:

  • Network isolation provided by the mount targets' VPC – File system mount targets can't have public IP addresses associated with them. The only targets that can mount file systems are the following:

    • Amazon EC2 instances in the local Amazon VPC

    • EC2 instances in connected VPCs

    • On-premises servers connected to an Amazon VPC by using Amazon Direct Connect and an Amazon Virtual Private Network (VPN)

  • Network access control lists (ACLs) for the VPC subnets of the client and mount targets, for access from outside the mount target's subnets – To mount a file system, the client must be able to make a TCP connection to the NFS port of a mount target and receive return traffic.

  • Rules of the client's and mount targets' VPC security groups, for all access – For an EC2 instance to mount a file system, the following security group rules must be in effect:

    • The file system must have a mount target whose network interface has a security group with a rule that enables inbound connections on the NFS port from the instance. You can enable inbound connections either by IP address (CIDR range) or security group. The source of the security group rules for the inbound NFS port on mount target network interfaces is a key element of file system access control. Inbound rules other than the one for the NFS port, and any outbound rules, aren't used by network interfaces for file system mount targets.

    • The mounting instance must have a network interface with a security group rule that enables outbound connections to the NFS port on one of the file system's mount targets. You can enable outbound connections either by IP address (CIDR range) or security group.

For more information, see Managing mount targets.

Creating security groups

To create security groups for EC2 instances and EFS mount targets

The following are the general steps that you'll perform when creating the security groups for Amazon EFS. For instructions on creating the security groups, see Create a security group in the Amazon VPC User Guide.

  1. For your EC2 instances, create a security group with the following rules:

    • An inbound rule that allows inbound access that allows using Secure Shell (SSH) from any host. Optionally, restrict the Source address.

    • An outbound rule that allows all traffic to leave. When you create a security group, it is created with an outbound rule by default so you shouldn't need to add one.

  2. For your EFS mount target, create a security group with the following rules:

    • An inbound rule that allows access from the EC2 security group. Identify the EC2 security group as the source.

    • An outbound rule to open the TCP connection on all of the NFS ports. Identify the EC2 security group as the destination.