Elastic File System (EFS) provides a simple, serverless, set-and-forget NFS, POSIX-compliant file system for Linux based cloud and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.
EFS is restricted to one VPC at a time; VPC peering does work. EFS uses port 2049; add a mount target to more than one AZ. On-prem servers can mount EFS using the ENI IP address.
EFS service options
EFS has two tiers of storage: standard and IA; there is a lifecycle feature as well but the IA storage class must be enabled with a policy. Data can be replicated using EFS Cross-Region Replication delivering a RPO/RTO of minutes.
Availability and durability: regional and one zone. One zone is good for big data, media processing, content management, web serving or home directories that don’t require multi-AZ.
EFS has two performance modes, which can’t be changed after creation: General Performance & Max I/O which supports 20-1000s of EC2 with increased latency.
EFS has two throughput modes: Bursting & Provisioned Throughput (which is a fixed amount of throughput) modes
Security & Access Control
Data encryption is set up at file system creation. Encryption in transit is set when you mount the file system. Standard access control can be controlled via IAM, resource policies (called File system policies), & security groups.
Using EFS Access Points, like S3 Access Points, more granular access control is easier. EFS Access Points can enforce a user identity, including the user’s POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories. EFS Mount Helper, a recommend approach for mounting EFS, uses TLS.