AWS Storage
EFS
Fully managed elastic NFS file system for Linux-based workloads
Amazon EFS (Elastic File System) is a fully managed, elastic NFS v4.1/v4.2 file system that automatically grows and shrinks as you add and remove files, with no provisioning required. Multiple EC2 instances, containers, and Lambda functions can mount the same EFS file system simultaneously, making it ideal for shared storage in distributed and containerized workloads. EFS is Linux-only and abstracts away all capacity management, but costs significantly more per GB than EBS.
How EFS Works - Architecture and Mount Targets
EFS stores data redundantly across multiple AZs in a region. You access it through Mount Targets - one per AZ - which are NFS endpoints with an IP address in your VPC subnet.
| Component | Description |
|---|---|
| EFS File System | Regional resource - data replicated across AZs |
| Mount Target | NFS endpoint in a specific AZ subnet - attach one per AZ |
| DNS name | fs-xxxxxxxx.efs.us-east-1.amazonaws.com - resolves to AZ-local mount target |
| EFS Access Points | Application-specific entry points with enforced POSIX identity and root directory |
| NFS version | NFSv4.0 and NFSv4.1 supported - NFSv4.1 recommended |
# Install NFS utilities and mount EFS (Amazon Linux 2)
sudo yum install -y amazon-efs-utils
# Mount using EFS mount helper (recommended - handles TLS and IAM)
sudo mount -t efs -o tls fs-xxxxxxxxx:/ /mnt/efs
# Mount at boot via /etc/fstab
fs-xxxxxxxxx:/ /mnt/efs efs _netdev,tls 0 0
# Mount via NFS directly
sudo mount -t nfs4 \
-o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 \
fs-xxxxxxxxx.efs.us-east-1.amazonaws.com:/ /mnt/efsAlways use the amazon-efs-utils mount helper when possible. It handles TLS encryption in transit, automatically retries connections, and supports IAM authorization. The helper is available on Amazon Linux 2 and Amazon Linux 2023 by default.
Performance Modes and Throughput Modes
EFS has two independent configuration dimensions: performance mode (latency characteristics) and throughput mode (how throughput is determined). Understanding both is essential for sizing EFS correctly.
| Setting | Option | When to Use |
|---|---|---|
| Performance Mode | General Purpose | Default - lower latency - web servers, content mgmt, home dirs |
| Performance Mode | Max I/O | Higher aggregate throughput, higher latency - big data, parallel workloads with 100s of instances |
| Throughput Mode | Elastic (recommended) | Automatically scales throughput up to 3 GB/s read, 1 GB/s write - pay per use |
| Throughput Mode | Bursting | Throughput tied to storage size (50 MB/s per TB, burst to 100 MB/s or higher) |
| Throughput Mode | Provisioned | Specify throughput independent of storage size - predictable workloads |
Max I/O performance mode increases latency for metadata-heavy operations. Do not use it for general workloads - only when you have hundreds of clients and need maximum aggregate throughput. It cannot be changed after creation.
Elastic throughput mode is now the recommended default for most workloads. It eliminates the need to predict throughput requirements and avoids the complexity of burst credits.
EFS Storage Classes and Lifecycle Management
EFS has its own storage tiers similar to S3, with automatic lifecycle management to move infrequently accessed files to cheaper storage.
| Storage Class | Cost (us-east-1) | Access Pattern | Retrieval Fee |
|---|---|---|---|
| EFS Standard | $0.30/GB-month | Frequently accessed | None |
| EFS Infrequent Access (IA) | $0.025/GB-month | Infrequently accessed | $0.01/GB read |
| EFS Archive | $0.008/GB-month | Rarely accessed (long-term) | $0.03/GB read |
| EFS Standard - One Zone | $0.16/GB-month | Frequent, single-AZ only | None |
| EFS One Zone-IA | $0.0133/GB-month | Infrequent, single-AZ | $0.01/GB read |
Lifecycle policies automatically transition files between Standard and IA tiers:
# Enable lifecycle management to move files to IA after 30 days of no access
aws efs put-lifecycle-configuration \
--file-system-id fs-xxxxxxxxx \
--lifecycle-policies \
TransitionToIA=AFTER_30_DAYS,\
TransitionToPrimaryStorageClass=AFTER_1_ACCESSTransitionToPrimaryStorageClass=AFTER_1_ACCESS is a key setting - it moves files back to Standard tier the first time they are accessed after being moved to IA, preventing repeated retrieval fees for files that get accessed multiple times.
EFS Security - IAM, POSIX, and Encryption
EFS supports multiple security controls: NFS-level POSIX permissions, EFS resource policies, IAM authorization, and access points. Layering these correctly is essential for shared multi-tenant file systems.
| Control | Mechanism | Use Case |
|---|---|---|
| POSIX permissions | Linux user/group/other permissions on files and directories | Standard Linux file access control |
| EFS resource policy | Resource-based policy attached to the file system | Allow/deny specific IAM principals, enforce TLS |
| IAM authorization | IAM condition keys (elasticfilesystem:*) | Control which roles can mount/read/write |
| EFS Access Points | Named entry points with enforced UID/GID and root dir | Container workloads needing isolated directory trees |
| VPC Security Groups | SG on mount target allows port 2049 (NFS) | Network-level access control |
# Create an access point for a containerized app (enforces UID 1000, /app directory)
aws efs create-access-point \
--file-system-id fs-xxxxxxxxx \
--posix-user Uid=1000,Gid=1000 \
--root-directory "Path=/app,CreationInfo={OwnerUid=1000,OwnerGid=1000,Permissions=755}"EFS access points are the recommended pattern for ECS and EKS workloads. Each task/pod gets its own access point with a specific directory and POSIX identity, preventing containers from accessing each other's data even though they share the same file system.
EFS vs EBS vs S3 - Choosing the Right Storage
Choosing between EFS, EBS, and S3 depends on your access pattern, number of clients, operating system, and latency requirements.
| Dimension | EBS | EFS | S3 |
|---|---|---|---|
| Access model | Block (like a hard drive) | File (NFS) | Object (HTTP API) |
| Concurrent access | Single EC2 (Multi-Attach for io1/io2 with cluster FS) | Thousands of clients simultaneously | Unlimited via API |
| OS support | Linux and Windows | Linux only | Any (HTTP) |
| Latency | Sub-millisecond | 1-3ms | 10-100ms |
| Scalability | Up to 64 TiB per volume | Petabytes, elastic | Virtually unlimited |
| Cost (us-east-1) | from $0.08/GB | $0.30/GB (Standard) | $0.023/GB (Standard) |
| Typical use | Database volumes, OS boot | Shared home dirs, CMS, ML training data | Data lake, backups, static assets |
Interview Focus Points
- 1When would you choose EFS over EBS for a web application workload?
- 2How does EFS handle availability - what happens if an AZ goes down while instances are writing to it?
- 3Explain EFS storage classes and when you would configure lifecycle policies.
- 4How would you use EFS Access Points to isolate storage for different microservices in an ECS cluster?
- 5What is the difference between EFS General Purpose and Max I/O performance modes?
- 6A Lambda function needs to read a shared configuration file that updates frequently. Would you use EFS or S3? Why?
- 7How do you mount EFS in an EKS pod using the EFS CSI driver?
- 8What are the cost trade-offs between EFS Elastic throughput and Provisioned throughput modes?