Amazon managed policies for Amazon EFS - Amazon Elastic File System
AmazonElasticFileSystemFullAccessAmazonElasticFileSystemReadOnlyAccessAmazonElasticFileSystemClientReadWriteAccessPolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon EFS

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: AmazonElasticFileSystemFullAccess

You can attach the AmazonElasticFileSystemFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to Amazon EFS and access to related Amazon services via the Amazon Web Services Management Console.

Permissions details

This policy includes the following permissions.

  • elasticfilesystem – Allows principals to perform all actions in the Amazon EFS console. It also allows principals to create (elasticfilesystem:Backup) and restore (elasticfilesystem:Restore) backups using Amazon Backup.

  • cloudwatch – Allows principals to describe Amazon CloudWatch file system metrics and alarms for a metric in the Amazon EFS console.

  • ec2 – Allows principals to create, delete, and describe network interfaces, describe and modify network interface attributes, describe Availability Zones, security groups, subnets, virtual private clouds (VPCs) and VPC attributes associated with an Amazon EFS file system in the Amazon EFS console.

  • kms – Allows principals to list aliases for Amazon Key Management Service (Amazon KMS) keys and to describe KMS keys in the Amazon EFS console.

  • iam – Grants permission to create a service linked role that allows Amazon EFS to manage Amazon resources on the user's behalf.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute",
                "elasticfilesystem:Backup",
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:CreateTags",
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:CreateReplicationConfiguration",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget",
                "elasticfilesystem:DeleteTags",
                "elasticfilesystem:DeleteAccessPoint",
                "elasticfilesystem:DeleteFileSystemPolicy",
                "elasticfilesystem:DeleteReplicationConfiguration",
                "elasticfilesystem:DescribeAccountPreferences",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:ModifyMountTargetSecurityGroups",
                "elasticfilesystem:PutAccountPreferences",
                "elasticfilesystem:PutBackupPolicy",
                "elasticfilesystem:PutLifecycleConfiguration",
                "elasticfilesystem:PutFileSystemPolicy",
                "elasticfilesystem:UpdateFileSystem",
                "elasticfilesystem:UpdateFileSystemProtection",
                "elasticfilesystem:TagResource",
                "elasticfilesystem:UntagResource",
                "elasticfilesystem:ListTagsForResource",                
                "elasticfilesystem:Restore",
                "kms:DescribeKey",
                "kms:ListAliases"
            ],

            "Sid": "ElasticFileSystemFullAccess",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Sid": "CreateServiceLinkedRoleForEFS",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "elasticfilesystem.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Amazon managed policy: AmazonElasticFileSystemReadOnlyAccess

You can attach the AmazonElasticFileSystemReadOnlyAccess policy to your IAM identities.

This policy grants read only access to Amazon EFS via the Amazon Web Services Management Console.

Permissions details

This policy includes the following permissions.

  • elasticfilesystem – Allows principals to describe attributes of Amazon EFS file systems, including account preferences, backup and file system policies, lifecycle configuration, mount targets and their security groups, tags, and access points in the Amazon EFS console.

  • cloudwatch – Allows principals to retrieve CloudWatch metrics and describe alarms for metrics in the Amazon EFS console.

  • ec2 – Allows principals to view Availability Zones, network interfaces and their attributes, security groups, subnets, VPCs and their attributes in the Amazon EFS console.

  • kms – Allows principals to list aliases for Amazon KMS keys in the Amazon EFS console.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "elasticfilesystem:DescribeAccountPreferences",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",                
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "elasticfilesystem:ListTagsForResource",
                "kms:ListAliases"
            ],
            
            "Resource": "*"
        }
    ]
}

Amazon managed policy: AmazonElasticFileSystemClientReadWriteAccess

You can attach the AmazonElasticFileSystemClientReadWriteAccess policy to an IAM entity.

This policy grants read and write client access to an Amazon EFS file system. This policy allows NFS clients to mount, read and write to Amazon EFS file systems.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "*"
        }
    ]
}

Amazon EFS updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon EFS since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon EFS Document history page.

Change Description Date

Update to an existing policy

 Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added a new permission to allow principals to disable and enable protection on a file system. The permissions are required to allow Amazon EFS to replicate to an existing file system.

November 27, 2023

Update to an existing policy

Policy: AmazonElasticFileSystemServiceRolePolicy

Amazon EFS added new permissions to allow principals to create, describe, and delete Amazon EFS replications, and to create Amazon EFS file systems. The permissions are required to allow Amazon EFS to manage files system replication configurations on the user's behalf.

 January 25, 2022

Update to an existing policy

Policy: AmazonElasticFileSystemReadOnlyAccess

Amazon EFS added a new permission to allow principals to describe Amazon EFS replications. The permissions are required to allow users to view files system replication configurations.

 January 25, 2022
Update to an existing policy

Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added new permissions to allow principals to create, describe, and delete Amazon EFS replications. The permissions are required to allow users to manage files system replication configurations.

 January 25, 2022

Started tracking policy

Policy: AmazonElasticFileSystemClientReadWriteAccess

Grants read and write privileges on Amazon EFS file systems to NFS clients.

 January 3, 2022

Started tracking policy

 Policy: AmazonElasticFileSystemServiceRolePolicy

The service-linked role permissions for Amazon EFS.

October 8, 2021

Update to an existing policy

Policy: AmazonElasticFileSystemFullAccess

Amazon EFS added new permissions to allow principals to modify and describe Amazon EFS account preferences. The permissions are required to allow users to view and set account preferences settings in the Amazon EFS console.

 May 7, 2021

Update to an existing policy

Policy: AmazonElasticFileSystemReadOnlyAccess

Amazon EFS added new permissions to allow principals to describe Amazon EFS account preferences. The permissions are required to allow users to view account preferences settings in the Amazon EFS console.

 May 7, 2021

Amazon EFS started tracking changes

Amazon EFS started tracking changes for its Amazon managed policies.

 May 7, 2021