CODEWITHSUNDEEP
amazon-web-servicesmountamazon-efs
Jeff Tilton
Jeff Tilton

Reputation: 1296

AWS efs mount permission denied

I am trying to mount an efs to an ec2 instance. I first was timing out, then created a new security group for my vpc with my ec2 instance as the source and added this to my efs. I am now getting a permission denied. I read that I needed to "check your file system policy and your identity policy to ensure there are no DENY clauses that apply to your connection, and that there is at least one ALLOW clause that applies to the connection."

I have not changed my security policy on the efs and it looks like the below. I am a little lost on if I need to change anything. I see a deny and allow clause. Is this the source of my permission denied or is it something else? If it is, is there information on how to edit it?

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-",
    "Statement": [
        {
            "Sid": "efs-statement-",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "arn:aws:elasticfilesystem:",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "efs-statement-",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource": "arn:aws:elasticfilesystem:"
        }
    ]
}

I do not seem to have an iam policy for any efs access. Is this my problem? Is there information on how to create one for an efs mount?

Thank you.

Upvotes: 5

Views: 21281

Answers (2)

Qin Heyang
Qin Heyang

Reputation: 1674

You need to first check the mount options and policies as instructed by https://aws.amazon.com/premiumsupport/knowledge-center/efs-enable-read-write-access/

If they both look good, then test your permission by sudo. If you can write to the EFS with sudo, then you can just grant non-root users the privileges by sudo chmod 777 /your/efs/mount/point

Upvotes: 2

Chris Williams
Chris Williams

Reputation: 35188

This is a resource policy for the EFS mount, by adding the condition to deny all actions when not using TLS it will deny if you're not establishing a mount using TLS.

To do this either look at these instructions or remove the deny block, relying instead on security groups.

Additional example resource policies can be found here

Upvotes: 3

Related Questions