Create an Amazon EFS file system - Amazon Transfer Family
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Create an Amazon EFS file system

Amazon Transfer Family accesses Amazon Elastic File System (Amazon EFS) to service your users' transfer requests. So you must provide an Amazon EFS file system as part of setting up your file transfer protocol-enabled server. You can use an existing file system, or you can create a new one.

The following sections in the Amazon Elastic File System User Guide provide more information.

Note

When you use a Transfer Family server and an Amazon EFS file system, the server and the file system must be in the same Amazon Region.

The server and the file system don't need to be in the same account. If the server and file system are not in the same account, the file system policy must give explicit permission to the user role. For information about using Amazon EFS, see Using Amazon Transfer Family to access files in your Amazon EFS file system in the Amazon Elastic File System User Guide.

For information about how to set up multiple accounts, see Managing the Amazon accounts in your organization in the Amazon Organizations User Guide.

When you set up your users, you assign them each an IAM role. This role determines the level of access that they have to your Amazon EFS file system.

Amazon EFS file ownership

Amazon EFS uses the Portable Operating System Interface (POSIX) file permission model to represent file ownership.

In POSIX, users in the system are categorized into three distinct permission classes: When you allow a user to access files stored in an Amazon EFS file system using Amazon Transfer Family, you must assign them a “POSIX profile.” This profile is used to determine their access to files and directories in the Amazon EFS file system.

  • User (u): Owner of the file or directory. Usually, the creator of a file or directory is also the owner.

  • Group (g): Set of users that need identical access to files and directories that they share.

  • Others (o): All other users that have access to the system except for the owner and group members. This permission class is also referred to as "Public."

In the POSIX permission model, every file system object (files, directories, symbolic links, named pipes, and sockets) is associated with the previously mentioned three sets of permissions. Amazon EFS objects have a Unix-style mode associated with them. This mode value defines the permissions for performing actions on that object.

Additionally, on Unix-style systems, users and groups are mapped to numeric identifiers, which Amazon EFS uses to represent file ownership. For Amazon EFS, objects are owned by a single owner and a single group. Amazon EFS uses the mapped numeric IDs to check permissions when a user attempts to access a file system object.

Set up Amazon EFS users for Transfer Family

Before you set your Amazon EFS users, you can do either of the following:

Configure Transfer Family users on Amazon EFS

Transfer Family maps the users to the UID/GID and directories you specify. If the UID/GID/directories do not already exist in EFS, then you should create them before assigning them in Transfer to a user. The details for creating Amazon EFS users is described in Working with users, groups, and permissions at the Network File System (NFS) Level in the Amazon Elastic File System User Guide.

Steps to set up Amazon EFS users in Transfer Family

  1. Map the EFS UID and GID for your user in Transfer Family using the PosixProfile fields.

  2. If you want the user to start in a specific folder upon login, you can specify the EFS directory under the HomeDirectory field.

You can automate the process, by using a CloudWatch rule and Lambda function. For an example Lambda function that interacts with EFS, see Using Amazon EFS for Amazon Lambda in your serverless applications.

Create an Amazon EFS root user

If your organization is comfortable for you to enable root user access via SFTP/FTPS for the configuration of your users, you can create a user who's UID and GID are 0 (root user), then use that root user to create folders and assign POSIX ID owners for rest of the users. The advantage of this option is that there is no need to mount the Amazon EFS file system.

Perform the steps described in Adding Amazon EFS service-managed users, and for both the User ID and Group ID, enter 0 (zero).

Supported Amazon EFS commands

The following commands are supported for Amazon EFS for Amazon Transfer Family.

  • cd

  • ls/dir

  • pwd

  • put

  • get

  • rename

  • chown: Only root (that is, users with uid=0) can change ownership and permissions of files and directories.

  • chmod: Only root can change ownership and permissions of files and directories.

  • chgrp: Supported either for root or for the file's owner who can only change a file's group to be one of their secondary groups.

  • ln -s/symlink

  • mkdir

  • rm/delete

  • rmdir

  • chmtime