Elastic File System (EFS) πŸ“, is a scalable and fully managed cloud file storage system. EFS offers shared file storage that enables several workloads to access the same data. AWS has launched Access Points to expand the functionality of EFS. With this feature, you define points of access to your EFS file system, each with its own set of rights and permission settings πŸ”’.

This article will discuss the advantages of integrating Amazon EFS with access points. Furthermore, we cover recommended practices for setup and use. We'll also go over some typical use cases and situations and offer step-by-step guidance for setting up access points.

Understanding AWS EFS

Let's first clarify what Amazon EFS is and how it functions before diving into the specifics of access points. EFS offers scalable file storage that is completely managed by AWS.

It makes use of a common file system interface that is simple to incorporate into already in-use workloads. It also automatically moves infrequently accessed files to Infrequent Access (IA) storage classes to save costs. It is designed with 99.999999999 % durability πŸ’Ύ and up to 99.99 % availability πŸ“Ά.

AWS EFS Access Points Explained

Now that we understand what AWS EFS is and its key features, let's explore Access Points.

What are access points? An access point is a point of entry into your EFS file system πŸšͺ. The configuration like file system root directory path and permissions are all unique to each access point. Without having to maintain several file systems, you can implement fine-grained access control for various directories and users.

How do access points function? While creating an access point, you provide a root directory path within your EFS file system. Only this directory and its child directories, which serve as the Access Point's root, are accessible. Following that, you may create rules to restrict or allow access to this directory based on user or group privileges πŸ”‘.

🧰 Setup of EFS Access Points

First, we choose the underlying EFS filesystem and can give it a name. If we keep the "root directory path" empty it will take / as the default. Otherwise, we can define a folder, which will be used as the access points root path.

🚨
Keep in mind that the / path is always owned by the root user. Only root users will be able to write data to this path

We can for example choose /root_directory_path as the root path. The access point will only have access to this path and the underlying folders. It will not see any other paths like /log_data or /extensions.

/
β”œβ”€β”€ /root_directory_path
β”œβ”€β”€ /log_data
└── /extensions

In the second step, we can choose the user which will perform all operations on the EFS. It makes it appear that all operations are performed by this account. We require the POSIX UID/GID. On Linux, we can get this information from the id command:

uid=1001(ssm-user) gid=1001(ssm-user) groups=1001(ssm-user)

In the last step, we can choose the root directory creation permission. If we choose any other "root directory path" than /, this setting is required. The setting will automatically create the folder in the EFS and assign the account as the owner. In our example, the /root_directory_path doesn't exist. We can either create it manually or use the directory creation option. We need to choose the POSIX UID/GID again. As the POSIX user from above should later read/write the file, we usually take the same IDs πŸ“‚.

For the access permissions, we can take 755 for example. This will enable the creator of the path to read/write/execute and all users to only read/execute πŸ”“.

In the end, we would have the following setup:

Path POSIX user Creation info
/rootDirectoryPath 1000 : 1000 1000 : 1000 (755)

It will create the path /rootDirectoryPath with the user 1000:1000 and sets 755 permissions. All actions performed on the EFS will be done by the user 1000:1000.

Share this post