Package software.amazon.awscdk.services.s3files

Interface CfnFileSystemProps

All Superinterfaces:
software.amazon.jsii.JsiiSerializable
All Known Implementing Classes:
CfnFileSystemProps.Jsii$Proxy
@Generated(value="jsii-pacmak/1.127.0 (build 2117ad5)", date="2026-04-14T18:32:03.777Z") @Stability(Stable) public interface CfnFileSystemProps extends software.amazon.jsii.JsiiSerializable
Properties for defining a CfnFileSystem.

Example: 

 import software.amazon.awscdk.*;
 import software.amazon.awscdk.services.ec2.*;
 import software.amazon.awscdk.services.s3.*;
 import software.amazon.awscdk.services.s3files.*;
 Vpc vpc = new Vpc(this, "Vpc");
 // Versioning is required — S3 Files relies on object versions for consistency.
 Bucket bucket = Bucket.Builder.create(this, "Bucket").versioned(true).build();
 // S3 Files assumes this role to sync data between S3 and the file system.
 Role role = Role.Builder.create(this, "S3FilesRole")
         .assumedBy(new ServicePrincipal("elasticfilesystem.amazonaws.com"))
         .build();
 // S3 permissions: read/write access to the bucket and objects
 role.addToPolicy(PolicyStatement.Builder.create()
         .actions(List.of("s3:ListBucket*"))
         .resources(List.of(bucket.getBucketArn()))
         .build());
 role.addToPolicy(PolicyStatement.Builder.create()
         .actions(List.of("s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject*", "s3:List*", "s3:PutObject*"))
         .resources(List.of(bucket.arnForObjects("*")))
         .build());
 // EventBridge permissions: S3 Files creates rules prefixed "DO-NOT-DELETE-S3-Files"
 // to detect S3 object changes and trigger data synchronization.
 role.addToPolicy(PolicyStatement.Builder.create()
         .actions(List.of("events:DeleteRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets"))
         .resources(List.of(String.format("arn:%s:events:*:*:rule/DO-NOT-DELETE-S3-Files*", Aws.PARTITION)))
         .conditions(Map.of("StringEquals", Map.of("events:ManagedBy", "elasticfilesystem.amazonaws.com")))
         .build());
 role.addToPolicy(PolicyStatement.Builder.create()
         .actions(List.of("events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTargetsByRule"))
         .resources(List.of(String.format("arn:%s:events:*:*:rule/*", Aws.PARTITION)))
         .build());
 CfnFileSystem fileSystem = CfnFileSystem.Builder.create(this, "S3FilesFs")
         .bucket(bucket.getBucketArn())
         .roleArn(role.getRoleArn())
         .build();
 SecurityGroup sg = SecurityGroup.Builder.create(this, "MountTargetSG").vpc(vpc).build();
 // Create a mount target in each private subnet so Lambda can reach the file system via NFS.
 vpc.privateSubnets.forEach((subnet, i) =>
   new s3files.CfnMountTarget(this, `MountTarget${i}`, {
     fileSystemId: fileSystem.attrFileSystemId,
     subnetId: subnet.subnetId,
     securityGroups: [sg.securityGroupId],
   }));
 // The access point defines the POSIX identity and root path Lambda uses on the file system.
 CfnAccessPoint accessPoint = CfnAccessPoint.Builder.create(this, "AccessPoint")
         .fileSystemId(fileSystem.getAttrFileSystemId())
         .rootDirectory(RootDirectoryProperty.builder()
                 .path("/export/lambda")
                 .creationPermissions(CreationPermissionsProperty.builder().ownerGid("1001").ownerUid("1001").permissions("750").build())
                 .build())
         .posixUser(PosixUserProperty.builder().gid("1001").uid("1001").build())
         .build();
 Function fn = Function.Builder.create(this, "MyFunction")
         .runtime(Runtime.NODEJS_LATEST)
         .handler("index.handler")
         .code(Code.fromAsset(join(__dirname, "lambda-handler")))
         .vpc(vpc)
         .filesystem(FileSystem.fromS3FilesAccessPoint(accessPoint, "/mnt/s3files"))
         .build();

See Also: