Resource-based policy examples for Amazon Elastic File System
In this section, you can find example file system policies that grant or deny permissions for various Amazon EFS actions. Amazon EFS file system policies have a 20,000 character limit. For information about the elements of a resource-based policy, see Resource-based policies within Amazon EFS.
Important
If you grant permission to an individual IAM user or role in a file system policy, don't delete or recreate that user or role while the policy is in effect on the file system. If this happens, that user or role is effectively locked out from file system and will not be able to access it. For more information, see Specifying a Principal in the IAM User Guide.
For information about how to create a file system policy, see Creating file system policies.
Topics
Example: Grant read and write access to a specific Amazon role
In this example, the EFS file system policy has the following characteristics:
-
The effect is
Allow. -
The principal is set to the Testing_Role in the Amazon Web Services account.
-
The action is set to
ClientMount(read), andClientWrite. -
The condition for granting permissions is set to
AccessedViaMountTarget.
{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Testing_Role" }, "Action": [ "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientMount" ], "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd", "Condition": { "Bool": { "elasticfilesystem:AccessedViaMountTarget": "true" } } } ] }
Example: Grant read-only access
The following file system policy only grants ClientMount, or read-only,
permissions to the EfsReadOnly IAM role.
{ "Id": "read-only-example-policy02", "Statement": [ { "Sid": "efs-statement-example02", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" }, "Action": [ "elasticfilesystem:ClientMount" ], "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678" } ] }
To learn how to set additional file system policies, including denying root access to all IAM principals, except for a specific management workstation, see Walkthrough: Enable root squashing using IAM authorization for NFS clients.
Example: Grant access to an EFS Access Point
You use an EFS access policy to provide an NFS client with an application-specific view into shared file-based datasets on an EFS file system. You grant the access point permissions on the file system using a file system policy.
This file policy example uses a condition element to grant a specific access point that is identified by its ARN full access to the file system.
For more information about using EFS access points, see Working with Amazon EFS access points.
{ "Id": "access-point-example03", "Statement": [ { "Sid": "access-point-statement-example03", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::555555555555:role/EfsAccessPointFullAccess"}, "Action": "elasticfilesystem:Client*", "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678", "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn":"arn:aws:elasticfilesystem:us-east-2:555555555555:access-point/fsap-12345678" } } } ] }