Amazon EFS - Elastic File System
Chapter 18: Amazon EFS - Elastic File System
Section titled “Chapter 18: Amazon EFS - Elastic File System”Managed NFS File System
Section titled “Managed NFS File System”18.1 Overview
Section titled “18.1 Overview”Amazon EFS (Elastic File System) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources.
EFS Overview+------------------------------------------------------------------+| || +------------------------+ || | Amazon EFS | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | NFS | | Scalable | | Serverless| || | Protocol | | Storage | | Managed | || | | | | | | || | - NFSv4 | | - Auto | | - No | || | - POSIX | | grow | | servers| || | compliant| | - PB | | - Pay for| || | | | scale | | use | || +----------+ +----------+ +----------+ || || Key Features: || - Simple, fully managed file system || - Scales automatically up and down || - POSIX-compliant (Linux workloads) || - Concurrent access from multiple instances || |+------------------------------------------------------------------+18.2 EFS Architecture
Section titled “18.2 EFS Architecture”File System Structure
Section titled “File System Structure” EFS Architecture+------------------------------------------------------------------+| || EFS File System || +----------------------------------------------------------+ || | | || | +----------------------------------------------------+ | || | | File System | | || | | (Regional) | | || | +----------------------------------------------------+ | || | | | || | +-------------+-------------+ | || | | | | | || | v v v | || | +----------+ +----------+ +----------+ | || | | Mount | | Mount | | Mount | | || | | Target | | Target | | Target | | || | | (AZ-a) | | (AZ-b) | | (AZ-c) | | || | +----------+ +----------+ +----------+ | || | | | | | || | v v v | || | +----------+ +----------+ +----------+ | || | | EC2 | | EC2 | | EC2 | | || | | Instance | | Instance | | Instance | | || | +----------+ +----------+ +----------+ | || | | || +----------------------------------------------------------+ || || Components: || - File System: Regional resource, highly available || - Mount Target: Per-AZ endpoint for mounting || - Security Groups: Control access to mount targets || |+------------------------------------------------------------------+Access Points
Section titled “Access Points” EFS Access Points+------------------------------------------------------------------+| || Purpose: Simplify application access to EFS || || Access Point Configuration || +----------------------------------------------------------+ || | | || | Access Point: app-data | || | +----------------------------------------------------+ | || | | | | || | | Root Directory: /data/app1 | | || | | POSIX User: | | || | | - UID: 1001 | | || | | - GID: 1001 | | || | | Directory Permissions: | | || | | - Owner: 1001:1001 | | || | | - Permissions: 755 | | || | | | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || || Benefits: || - Enforce directory path || - Enforce user identity || - Enforce root directory creation || - Simplify mounting || |+------------------------------------------------------------------+18.3 EFS Performance
Section titled “18.3 EFS Performance”Performance Modes
Section titled “Performance Modes” EFS Performance Modes+------------------------------------------------------------------+| || General Purpose (Default) || +----------------------------------------------------------+ || | | || | Use Case: | || | - Web servers | || | - Content management systems | || | - Home directories | || | - General file sharing | || | | || | Characteristics: | || | - Lower latency for file operations | || | - Higher per-operation performance | || | - Recommended for most workloads | || | | || +----------------------------------------------------------+ || || Max I/O || +----------------------------------------------------------+ || | | || | Use Case: | || | - Big data analytics | || | - Media processing | || | - Parallel workloads | || | - High-throughput applications | || | | || | Characteristics: | || | - Higher aggregate throughput | || | - Higher per-file system operations | || | - Slightly higher latency | || | | || +----------------------------------------------------------+ || || Note: Performance mode is set at creation and cannot be changed|| |+------------------------------------------------------------------+Throughput Modes
Section titled “Throughput Modes” EFS Throughput Modes+------------------------------------------------------------------+| || Bursting Throughput (Default) || +----------------------------------------------------------+ || | | || | How it works: | || | - Baseline: 50 KB/s per GB stored | || | - Burst: Up to 100 MB/s | || | - Burst credits accumulate | || | | || | Example (100 GB file system): | || | - Baseline: 5 MB/s (100 GB * 50 KB/s) | || | - Burst: 100 MB/s | || | | || | Use Case: | || | - Variable workloads | || | - Occasional bursts | || | | || +----------------------------------------------------------+ || || Provisioned Throughput || +----------------------------------------------------------+ || | | || | How it works: | || | - Specify throughput independent of storage | || | - Up to 1,000 MB/s | || | - Additional cost | || | | || | Example: | || | - Storage: 100 GB | || | - Provisioned: 100 MB/s | || | - Cost: Storage + Throughput | || | | || | Use Case: | || | - Consistent high throughput | || | - Low storage, high throughput needs | || | | || +----------------------------------------------------------+ || || Elastic Throughput || +----------------------------------------------------------+ || | | || | How it works: | || | - Automatically scales throughput | || | - No provisioning required | || | - Pay only for throughput used | || | | || | Use Case: | || | - Unpredictable workloads | || | - Spiky traffic patterns | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Performance Comparison
Section titled “Performance Comparison” EFS Performance Comparison+------------------------------------------------------------------+| || Metric | General Purpose | Max I/O || --------------------|-----------------|-------------------------|| Latency | Lower | Higher || Aggregate Throughput| Lower | Higher || Operations/sec | Lower | Higher || File ops latency | Lower | Higher || --------------------|-----------------|-------------------------|| Recommended for | Most workloads | Parallel processing || |+------------------------------------------------------------------+18.4 EFS Storage Classes
Section titled “18.4 EFS Storage Classes” EFS Storage Classes+------------------------------------------------------------------+| || Standard Storage Class || +----------------------------------------------------------+ || | | || | Use Case: | || | - Frequently accessed files | || | - Active workloads | || | | || | Characteristics: | || | - Highest durability (99.999999999%) | || | - Highest availability (99.99%) | || | - Multi-AZ redundancy | || | | || +----------------------------------------------------------+ || || Infrequent Access (IA) Storage Class || +----------------------------------------------------------+ || | | || | Use Case: | || | - Infrequently accessed files | || | - Archive data | || | - Backup data | || | | || | Characteristics: | || | - Lower storage cost (up to 92% savings) | || | - Retrieval fee per GB accessed | || | - Same durability | || | | || +----------------------------------------------------------+ || || Lifecycle Management || +----------------------------------------------------------+ || | | || | Policy Configuration: | || | - Move to IA after: 7, 14, 30, 60, 90, 180, 365 days | || | - Move to IA after: 1, 3, 5 years | || | | || | Example: | || | - Files not accessed for 30 days -> Move to IA | || | - Files accessed again -> Move to Standard | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+18.5 EFS Security
Section titled “18.5 EFS Security”Network Security
Section titled “Network Security” EFS Network Security+------------------------------------------------------------------+| || Security Groups || +----------------------------------------------------------+ || | | || | Mount Target Security Group: | || | +----------------------------------------------------+ | || | | Inbound Rules: | | || | | - TCP 2049 (NFS) from EC2 security group | | || | | | | || | | Outbound Rules: | | || | | - Allow all (default) | | || | +----------------------------------------------------+ | || | | || | EC2 Security Group: | || | +----------------------------------------------------+ | || | | Outbound Rules: | | || | | - TCP 2049 (NFS) to Mount Target SG | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Encryption
Section titled “Encryption” EFS Encryption+------------------------------------------------------------------+| || Encryption at Rest || +----------------------------------------------------------+ || | | || | Features: | || | - Enabled at file system creation | || | - Cannot be disabled after creation | || | - Uses AWS KMS | || | - AES-256 encryption | || | | || | KMS Key Options: | || | - AWS managed key (aws/elasticfilesystem) | || | - Customer managed key (CMK) | || | | || +----------------------------------------------------------+ || || Encryption in Transit || +----------------------------------------------------------+ || | | || | Features: | || | - TLS encryption for NFS traffic | || | - Enabled by default on mount | || | - Uses TLS 1.2 | || | | || | Mount with encryption: | || | mount -t efs -o tls fs-12345678:/ /mnt/efs | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+18.6 Practical Configuration
Section titled “18.6 Practical Configuration”EFS with Terraform
Section titled “EFS with Terraform”# ============================================================# EFS File System# ============================================================
resource "aws_efs_file_system" "main" { creation_token = "main-efs"
# Performance mode performance_mode = "generalPurpose" # or "maxIO"
# Throughput mode throughput_mode = "bursting" # or "provisioned" # provisioned_throughput_in_mibps = 100 # If provisioned
# Encryption encrypted = true kms_key_id = aws_kms_key.efs.arn
# Lifecycle policy lifecycle_policy { transition_to_ia = "AFTER_30_DAYS" }
# Tags tags = { Name = "main-efs" }}
# ============================================================# Mount Targets# ============================================================
resource "aws_efs_mount_target" "main" { count = length(var.private_subnet_ids)
file_system_id = aws_efs_file_system.main.id subnet_id = var.private_subnet_ids[count.index] security_groups = [aws_security_group.efs.id]}
# ============================================================# Security Group for EFS# ============================================================
resource "aws_security_group" "efs" { name = "efs-sg" description = "Security group for EFS mount targets" vpc_id = var.vpc_id
ingress { description = "NFS from EC2" from_port = 2049 to_port = 2049 protocol = "tcp" security_groups = [aws_security_group.ec2.id] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "efs-sg" }}
# ============================================================# EFS Access Point# ============================================================
resource "aws_efs_access_point" "app" { file_system_id = aws_efs_file_system.main.id
# POSIX user posix_user { gid = 1001 uid = 1001 }
# Root directory root_directory { path = "/data/app" creation_info { owner_gid = 1001 owner_uid = 1001 permissions = "755" } }
tags = { Name = "app-access-point" }}
# ============================================================# EFS Backup Policy# ============================================================
resource "aws_efs_backup_policy" "main" { file_system_id = aws_efs_file_system.main.id
backup_policy { status = "ENABLED" }}
# ============================================================# EFS File System Policy# ============================================================
resource "aws_efs_file_system_policy" "main" { file_system_id = aws_efs_file_system.main.id
policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "AllowEC2Access" Effect = "Allow" Principal = { AWS = aws_iam_role.ec2.arn } Action = [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ] Resource = aws_efs_file_system.main.arn Condition = { Bool = { "aws:SecureTransport" = "true" } } } ] })}
# ============================================================# Mount EFS on EC2 (User Data)# ============================================================
resource "aws_instance" "web" { ami = "ami-12345678" instance_type = "m5.large" subnet_id = var.private_subnet_ids[0]
user_data = <<-EOF #!/bin/bash # Install EFS utils yum install -y amazon-efs-utils
# Create mount directory mkdir -p /mnt/efs
# Mount EFS with TLS mount -t efs -o tls ${aws_efs_file_system.main.id}:/ /mnt/efs
# Add to fstab for automatic mount echo "${aws_efs_file_system.main.id}:/ /mnt/efs efs defaults,_netdev 0 0" >> /etc/fstab EOF
tags = { Name = "web-server" }}
# ============================================================# EFS for Lambda (Access via VPC)# ============================================================
resource "aws_lambda_function" "efs_processor" { function_name = "efs-processor" role = aws_iam_role.lambda.arn runtime = "python3.11" handler = "index.handler"
filename = "function.zip"
# VPC configuration vpc_config { subnet_ids = var.private_subnet_ids security_group_ids = [aws_security_group.lambda.id] }
# EFS mount file_system_config { arn = aws_efs_access_point.app.arn local_mount_path = "/mnt/data" }}18.7 EFS vs EBS vs S3
Section titled “18.7 EFS vs EBS vs S3” Storage Service Comparison+------------------------------------------------------------------+| || Feature | EFS | EBS | S3 || ---------------|---------------|---------------|--------------|| Type | File (NFS) | Block | Object || Access | Multi-instance| Single instance| API/HTTP || Protocol | NFSv4 | Block device | REST API || Scale | Petabytes | Up to 16 TB | Unlimited || AZ Scope | Regional | Single AZ | Regional || Max Volume | Unlimited | 16 TB | 5 TB/object || Latency | Low | Lowest | Higher || POSIX | Yes | Yes | No || Concurrent | Yes | Multi-Attach | Yes || ---------------|---------------|---------------|--------------|| Use Case | Shared files | Boot volumes | Static files || | Home dirs | Databases | Backups || | Content mgmt | High IOPS | Data lake || |+------------------------------------------------------------------+18.8 Why This Matters in DevOps/SRE
Section titled “18.8 Why This Matters in DevOps/SRE”EFS is the go-to for shared file storage across compute — containers (ECS/EKS), Lambda, and multi-instance EC2 deployments. SREs use it for shared configs, content management, and persistent storage for stateless applications.
18.9 Linux Systems Perspective
Section titled “18.9 Linux Systems Perspective”EFS Mounting & Management from Arch Linux
Section titled “EFS Mounting & Management from Arch Linux”# Install NFS and EFS utilitiessudo pacman -S nfs-utils aws-cli-v2 jq
# Mount EFS manually (NFS4)sudo mkdir -p /mnt/efssudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 \ fs-12345678.efs.us-east-1.amazonaws.com:/ /mnt/efs
# Auto-mount via /etc/fstabecho "fs-12345678.efs.us-east-1.amazonaws.com:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,_netdev 0 0" | sudo tee -a /etc/fstab
# EFS monitoring script#!/bin/bash# ~/bin/efs-status.shecho "=== EFS File Systems ==="aws efs describe-file-systems \ --query 'FileSystems[*].{Name:Name,ID:FileSystemId,Size:SizeInBytes.Value,State:LifeCycleState,Mode:PerformanceMode}' \ --output table
echo ""echo "=== Mount Targets ==="aws efs describe-mount-targets \ --file-system-id fs-12345678 \ --query 'MountTargets[*].{AZ:AvailabilityZoneName,IP:IpAddress,State:LifeCycleState,SubnetId:SubnetId}' \ --output table
# Check NFS mount performancedd if=/dev/zero of=/mnt/efs/test bs=1M count=100 oflag=direct18.10 Troubleshooting Guide
Section titled “18.10 Troubleshooting Guide”| Issue | Cause | Solution |
|---|---|---|
| Mount hangs | Security group blocks NFS (2049) | Add inbound TCP 2049 to mount target SG |
| Permission denied | POSIX permissions mismatch | Use Access Points to enforce UID/GID |
| Slow throughput | Bursting mode with small storage | Switch to Elastic or Provisioned throughput |
| Lambda can’t access EFS | Lambda not in VPC or wrong SG | Configure VPC, verify Lambda SG allows NFS outbound |
| High cost | All files in Standard class | Enable lifecycle policy to move to IA after 30 days |
18.11 Interview Questions
Section titled “18.11 Interview Questions”-
Q: EFS vs EBS — when to use each?
- A: EFS: shared file access across instances/AZs, POSIX-compliant, auto-scaling, serverless (Lambda). EBS: single-instance block storage, lowest latency, boot volumes, databases. Use EFS when multiple compute resources need the same files; use EBS when you need raw block device performance.
-
Q: How would you optimize EFS costs?
- A: (1) Enable lifecycle management to move infrequently accessed files to IA (up to 92% savings), (2) Use Elastic throughput mode instead of Provisioned if workload is spiky, (3) Use One Zone storage class for non-critical data (47% cheaper than Standard), (4) Monitor with CloudWatch
MeteredIOBytesto track actual usage.
- A: (1) Enable lifecycle management to move infrequently accessed files to IA (up to 92% savings), (2) Use Elastic throughput mode instead of Provisioned if workload is spiky, (3) Use One Zone storage class for non-critical data (47% cheaper than Standard), (4) Monitor with CloudWatch
18.12 Exam Tips
Section titled “18.12 Exam Tips”
- EFS: Managed NFS file system, POSIX-compliant
- Performance Modes: General Purpose (default), Max I/O (parallel)
- Throughput Modes: Bursting (default), Provisioned, Elastic
- Storage Classes: Standard, Infrequent Access (IA)
- Lifecycle: Automatically move files to IA based on access
- Mount Targets: Per-AZ endpoint, requires security group
- Access Points: Simplify application access, enforce identity
- Encryption: At rest (KMS), in transit (TLS)
- Multi-AZ: EFS is regional, accessible from all AZs
- Lambda: Can mount EFS via VPC configuration
Next Chapter
Section titled “Next Chapter”Chapter 19: Amazon FSx - File Storage Solutions
Last Updated: March 2026