AWS: EFS

Created: October 04, 2020

EFS requires endpoints created within a VPC. The endpoints are called mount targets.
Mount targets are identified by their mount target ID.
Mount targets appear inside subnets and have both a DNS name and an IP address.
The EFS file system’s DNS name resolves to a mount target’s IP address.
1000s of instances can connect to a single EFS file system.
Instances in other VPCs can be connected via VPC Peering.
On-premise clients can connect using a VPC or Direct Connect connection.
Automatic backups are enabled by default and use AWS Backup.
Lifecycle management moves files that have not been accessed for a period of time to the EFS Infrequent Access Storage class.

Performance

Two performance modes: general purpose and max I/O. This is configured at ESF file system creation.
Two throughput modes:
- Bursting: throughput scales with the file system size.
- Provisioned: a fixed level of throughput.
- This is configured at ESF file system creation.

EFS has encryption at rest and encrption in transit capabilities.
Encryption at rest is enabled by default.
KMS manages encryption keys.
Custom KMS keys can be used. If they are not used, the default key is used.
Encryption at rest and encryption in transit can be configured separately or together.

Administration of EFS can be controlled via used-based or resource-based IAM policies.
NFS clients access to file systems can be controlled via resource-based IAM policies.
The standard POSIX and NFS permissions also apply.

File system level (with the EFS dashboard):

CloudWatch:

Available Metrics: