AWS Amazon EFS Access Point

This page shows how to write Terraform and CloudFormation for Amazon EFS Access Point and write them securely.

aws_efs_access_point (Terraform)

The Access Point in Amazon EFS can be configured in Terraform with the resource name aws_efs_access_point. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

efs.tf#L13
resource "aws_efs_access_point" "neo4j_data" {
  file_system_id = aws_efs_file_system.amundsen.id
  posix_user {
    gid = 1000 # for amundsen, important that same gui/uid used across each access point
    uid = 1000
  }
efs.tf#L43
resource "aws_efs_access_point" "hyperglance" {
  file_system_id = aws_efs_file_system.hyperglance.id

  root_directory {
    path = "/hyperglance"
    creation_info {
efs.tf#L16
resource "aws_efs_access_point" "signer" {
  file_system_id = aws_efs_file_system.this.id
  posix_user {
    gid = 999
    uid = 999
  }

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an Elastic File System (EFS) access point.

Tips: Best Practices for The Other AWS Amazon EFS Resources

In addition to the aws_efs_file_system, AWS Amazon EFS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_efs_file_system

Enable at rest encryption of EFS

It is better to enable at rest encryption of EFS to reduce the risk of data leakage.

Review your AWS Amazon EFS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::EFS::AccessPoint (CloudFormation)

The AccessPoint in EFS can be configured in CloudFormation with the resource name AWS::EFS::AccessPoint. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

efs-access-point.yml#L6
  Type: AWS::EFS::AccessPoint
  Properties:
    ClientToken: !Sub ${AppName}-${EnvName}-${WorkloadName}
    FileSystemId: !GetAtt EnvControllerAction.ManagedFileSystemID
    PosixUser:
      Uid: {{.Storage.ManagedVolumeInfo.UID}}
efs-access-point.yml#L6
  Type: AWS::EFS::AccessPoint
  Properties:
    ClientToken: !Sub ${AppName}-${EnvName}-${WorkloadName}
    FileSystemId: !GetAtt EnvControllerAction.ManagedFileSystemID
    PosixUser:
      Uid: {{.Storage.ManagedVolumeInfo.UID}}
vpc-efs.yml#L48
      Type: AWS::EFS::AccessPoint
      Properties:
        FileSystemId: !Ref FileSystem
        PosixUser:
          Uid: '1000'
          Gid: '1000'
efs.yml#L37
    Type: 'AWS::EFS::AccessPoint'
    Properties:
      FileSystemId: !Ref MyEFSFileSystemResource
      PosixUser:
        Uid: "1000"
        Gid: "1000"
serverless-storage.yml#L24
      Type: "AWS::EFS::AccessPoint"
      Properties:
        FileSystemId: !Ref MyEFS
        PosixUser:
          Uid: 1000
          Gid: 1000
tree.json#L952
                  "aws:cdk:cloudformation:type": "AWS::EFS::AccessPoint",
                  "aws:cdk:cloudformation:props": {
                    "fileSystemId": {
                      "Ref": "comvaultefs32A048FC"
                    },
                    "rootDirectory": {
commvault-demo.template.json#L734
      "Type": "AWS::EFS::AccessPoint",
      "Properties": {
        "FileSystemId": {
          "Ref": "comvaultefs32A048FC"
        },
        "RootDirectory": {
function_with_file_system_config.json#L4
  { "LogicalResourceId":"AccessPoint", "ResourceType":"AWS::EFS::AccessPoint" },
  { "LogicalResourceId":"LambdaFunctionWithEfs", "ResourceType":"AWS::Lambda::Function" },
  { "LogicalResourceId":"MyVpc", "ResourceType":"AWS::EC2::VPC" },
  { "LogicalResourceId":"MySecurityGroup", "ResourceType":"AWS::EC2::SecurityGroup" },
  { "LogicalResourceId":"MySubnet", "ResourceType":"AWS::EC2::Subnet" },
  { "LogicalResourceId":"LambdaFunctionWithEfsRole", "ResourceType":"AWS::IAM::Role" }
4-static-efs-template.json#L39
      "Type" : "AWS::EFS::AccessPoint",
      "Properties" : {
        "AccessPointTags" : [ {"Key": "Name", "Value": "ECS access point"} ],
        "FileSystemId" : {"Ref": "StaticEfsFileSystem"},
        "PosixUser" : {
          "Gid": "123454",
2-efs-template.json#L39
      "Type" : "AWS::EFS::AccessPoint",
      "Properties" : {
        "AccessPointTags" : [ {"Key": "Name", "Value": "ECS access point"} ],
        "FileSystemId" : {"Ref": "StaticEfsFileSystem"},
        "PosixUser" : {
          "Gid": "123454",

Parameters

Explanation in CloudFormation Registry

The AWS::EFS::AccessPoint resource creates an EFS access point. An access point is an application-specific view into an EFS file system that applies an operating system user and group, and a file system path, to any file system request made through the access point. The operating system user and group override any identity information provided by the NFS client. The file system path is exposed as the access point's root directory. Applications using the access point can only access data in its own directory and below. To learn more, see Mounting a file system using EFS access points.

This operation requires permissions for the elasticfilesystem:CreateAccessPoint action.

Frequently asked questions

What is AWS Amazon EFS Access Point?

AWS Amazon EFS Access Point is a resource for Amazon EFS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon EFS Access Point?

For Terraform, the iblaine/amundsen-terraform, hyperglance/deploy and planetway/xroad-securityserver-docker source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the aws/copilot-cli, bot-arate/B2 and franjimenezj/aws-lambda-api-vpc-efs source code examples are useful. See the CloudFormation Example section for further details.