# Amazon managed policies for Amazon EFS
Amazon managed policies

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

## Amazon managed policy: AWSServiceRoleForAmazonElasticFileSystem
AWSServiceRoleForAmazonElasticFileSystem

Amazon EFS uses the service-linked role named `AWSServiceRoleForAmazonElasticFileSystem` to allow Amazon EFS to manage Amazon resources on your behalf. This role trusts the `elasticfilesystem.amazonaws.com` service to assume the role. For more information, see [Using service-linked roles for Amazon EFS](using-service-linked-roles.md).

## Amazon managed policy: AmazonElasticFileSystemFullAccess
AmazonElasticFileSystemFullAccess

You can attach the `AmazonElasticFileSystemFullAccess` policy to your IAM identities.

This policy grants administrative permissions that allow full access to Amazon EFS and access to related Amazon services via the Amazon Web Services Management Console.

**Permissions details**

This policy includes the following permissions.
+ `elasticfilesystem` – Allows principals to perform all actions in the Amazon EFS console. It also allows principals to create (`elasticfilesystem:Backup`) and restore (`elasticfilesystem:Restore`) backups using Amazon Backup.
+ `cloudwatch` – Allows principals to describe Amazon CloudWatch file system metrics and alarms for a metric in the Amazon EFS console.
+ `ec2` – Allows principals to create, delete, and describe network interfaces, describe and modify network interface attributes, describe Availability Zones, security groups, subnets, virtual private clouds (VPCs) and VPC attributes associated with an EFS file system in the Amazon EFS console.
+ `kms` – Allows principals to list aliases for Amazon Key Management Service (Amazon KMS) keys and to describe KMS keys in the Amazon EFS console.
+ `iam` – Grants permission to create a service linked role that allows Amazon EFS to manage Amazon resources on the user's behalf.
+ `iam:PassRole` – Grants permission to pass an IAM role to Amazon EFS.

To view the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemFullAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemFullAccess.html) in the *Amazon Managed Policy Reference Guide*. 

## Amazon managed policy: AmazonElasticFileSystemReadOnlyAccess
AmazonElasticFileSystemReadOnlyAccess

You can attach the `AmazonElasticFileSystemReadOnlyAccess` policy to your IAM identities.

This policy grants read only access to Amazon EFS via the Amazon Web Services Management Console.

**Permissions details**

This policy includes the following permissions.




+ `elasticfilesystem` – Allows principals to describe attributes of Amazon EFS file systems, including account preferences, backup and file system policies, lifecycle configuration, mount targets and their security groups, tags, and access points in the Amazon EFS console.
+ `cloudwatch` – Allows principals to retrieve CloudWatch metrics and describe alarms for metrics in the Amazon EFS console.
+ `ec2` – Allows principals to view Availability Zones, network interfaces and their attributes, security groups, subnets, VPCs and their attributes in the Amazon EFS console.
+ `kms` – Allows principals to list aliases for Amazon KMS keys in the Amazon EFS console.

To view the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemReadOnlyAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemReadOnlyAccess.html) in the *Amazon Managed Policy Reference Guide*. 

## Amazon managed policy: AmazonElasticFileSystemClientFullAccess
AmazonElasticFileSystemClientFullAccess

You can attach the `AmazonElasticFileSystemClientFullAccess` policy to an IAM entity.

This policy grants read and write client access to EFS file systems. This policy allows NFS clients to mount, read and write to EFS file systems.

To view the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemClientFullAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemClientFullAccess.html) in the *Amazon Managed Policy Reference Guide*. 

## Amazon managed policy: AmazonElasticFileSystemClientReadWriteAccess
AmazonElasticFileSystemClientReadWriteAccess

You can attach the `AmazonElasticFileSystemClientReadWriteAccess` policy to an IAM entity.

This policy grants read and write client access to EFS file systems. This policy allows NFS clients to mount, read and write to EFS file systems.

To view the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemClientReadWriteAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonElasticFileSystemClientReadWriteAccess.html) in the *Amazon Managed Policy Reference Guide*. 

## Amazon EFS updates to Amazon managed policies
Policy updates

View details about updates to Amazon managed policies for Amazon EFS since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon EFS [Document history](document-history.md) page.


| Change | Description | Date | 
| --- | --- | --- | 
| Update to an existing policy |  Policy: [AmazonElasticFileSystemFullAccess](#security-iam-awsmanpol-AmazonElasticFileSystemFullAccess) Amazon EFS added the following: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/efs/latest/ug/security-iam-awsmanpol.html)  | November 7, 2024 | 
| Update to an existing policy |  Policy: [AmazonElasticFileSystemServiceRolePolicy](using-service-linked-roles.md#slr-permissions) Amazon EFS added `ReplicationRead` and `ReplicationWrite` to give permission to read and write file system data for replication.  | November 7, 2024 | 
| Update to an existing policy | Policy: [AmazonElasticFileSystemReadOnlyAccess](#security-iam-awsmanpol-AmazonElasticFileSystemReadOnlyAccess) Amazon EFS added the `ReplicationRead` action to give permission to read file system data for replication. | November 7, 2024 | 
|  Update to an existing policy  | Policy: [AmazonElasticFileSystemReadOnlyAccess](#security-iam-awsmanpol-AmazonElasticFileSystemReadOnlyAccess) Amazon EFS added new permissions that give source and destination accounts access to file systems for cross-account replications.  | August 7, 2024 | 
|  Update to an existing policy  | Policy: [AmazonElasticFileSystemFullAccess](#security-iam-awsmanpol-AmazonElasticFileSystemFullAccess)Amazon EFS added a new permission to allow principals to disable and enable protection on a file system. The permissions are required to allow Amazon EFS to replicate to an existing file system.  | November 27, 2023 | 
|  Update to an existing policy  |  Policy: [AmazonElasticFileSystemServiceRolePolicy](using-service-linked-roles.md#slr-permissions) Amazon EFS added new permissions to allow principals to create, describe, and delete Amazon EFS replications, and to create Amazon EFS file systems. The permissions are required to allow Amazon EFS to manage files system replication configurations on the user's behalf.  | January 25, 2022 | 
|  Update to an existing policy  |  Policy: [AmazonElasticFileSystemReadOnlyAccess](#security-iam-awsmanpol-AmazonElasticFileSystemReadOnlyAccess) Amazon EFS added a new permission to allow principals to describe Amazon EFS replications. The permissions are required to allow users to view files system replication configurations.  | January 25, 2022 | 
| Update to an existing policy |  Policy: [AmazonElasticFileSystemFullAccess](#security-iam-awsmanpol-AmazonElasticFileSystemFullAccess) Amazon EFS added new permissions to allow principals to create, describe, and delete Amazon EFS replications. The permissions are required to allow users to manage files system replication configurations.  | January 25, 2022 | 
|  Started tracking policy  |  Policy: [AmazonElasticFileSystemClientReadWriteAccess](#security-iam-awsmanpol-AmazonElasticFileSystemClientReadWriteAccess) Grants read and write privileges on Amazon EFS file systems to NFS clients.  | January 3, 2022 | 
|  Started tracking policy  | Policy: [AmazonElasticFileSystemServiceRolePolicy](using-service-linked-roles.md#slr-permissions)The service-linked role permissions for Amazon EFS. |  October 8, 2021  | 
|  Update to an existing policy  |  Policy: [AmazonElasticFileSystemFullAccess](#security-iam-awsmanpol-AmazonElasticFileSystemFullAccess) Amazon EFS added new permissions to allow principals to modify and describe Amazon EFS account preferences. The permissions are required to allow users to view and set account preferences settings in the Amazon EFS console.  | May 7, 2021 | 
|  Update to an existing policy  |  Policy: [AmazonElasticFileSystemReadOnlyAccess](#security-iam-awsmanpol-AmazonElasticFileSystemReadOnlyAccess) Amazon EFS added new permissions to allow principals to describe Amazon EFS account preferences. The permissions are required to allow users to view account preferences settings in the Amazon EFS console.  | May 7, 2021 | 
|  Amazon EFS started tracking changes  |  Amazon EFS started tracking changes for its Amazon managed policies.  | May 7, 2021 |