BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Amazon Elastic File System New Features: IAM Authorization and Access Points

Amazon Elastic File System New Features: IAM Authorization and Access Points

Bookmarks

Amazon’s Elastic File System (EFS) Service (EFS) offers a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. Recently Amazon announced updates for this service by adding two new features, namely Identity and Access Management (IAM) authorization for Network File System (NFS) and EFS Access Points

The target use case for EFS is storing large quantities of data that need high-throughput read and write access, such as high-volume analytic workloads, where the volume of data cannot be stored on a single EC2 instance's Elastic Block Store (EBS). According to AWS, customers using EFS get:

  • Strong file system consistency across three Availability Zones
  • Performance that scales with the amount of data stored
  • The ability to provision the throughput. 

Last year, the team responsible for the EFS service focused on cost reduction, introducing the EFS Infrequent Access (IA) storage class. This allowed customers to reduce costs by setting up life cycle management policies that moved files that haven’t been accessed for a certain amount of days to the cheaper EFS IA storage tier.

Now the has team added:

  • Identity and Access Management (IAM) authorization for Network File System (NFS) in order to identify clients and use IAM policies to manage client-specific permissions
  • EFS Access Points to enforce the use of an operating system user and group, optionally restricting access to a directory in the file system.

Scott Francis, a solution architect at AWS, said in a tweet

If you’re using EFS, the addition of these features (which map roughly to traditional NFS usermap.cfg and mount-level and file-level restrictions) should make EFS much more closely approximate to the management feature set of conventional NFS servers.

With IAM, users can set up file system policies when creating or updating ESF, which are applicable for all NFS clients connecting to a file system. During the setup process, users can choose a combination of predefined policy statements, and set the policy and review the JSON. Moreover, the user can alter the JSON data to fit more complex scenarios and, for example, give individual accounts or IAM roles more privileges. 


Source: https://aws.amazon.com/blogs/aws/new-for-amazon-efs-iam-authorization-and-access-points/

Lastly, every time an IAM permission is checked, the AWS CloudTrail console logs an appropriate event, making the process auditable.

The new Access Point feature has a similar purpose as IAM, providing enterprise system administrators more control when allowing applications file system access. Furthermore, these administrators can specify which POSIX user and group to use when accessing the file system, and restrict access to a directory within a file system. 

Source: https://docs.aws.amazon.com/efs/latest/ug/create-access-point.html

In the Amazon blog post on the EFS updates, Danilo Poccia, principal evangelist at AWS, mentions the benefits of Access Points:

  • Container-based environments, where developers build and deploy their own containers
  • Data science applications that require read-only access to production data
  • Sharing a specific directory in your file system with other AWS accounts

Both IAM authorizations for NFS clients and EFS Access Points are available in all regions where EFS is available, and there is no additional cost for using them. Furthermore, details about using EFS with IAM and Access Points are available in the documentation.

Rate this Article

Adoption
Style

BT