# Mounting EFS file systems using the EFS mount helper
Using the EFS mount helper

After you install the Amazon EFS client (`amazon-efs-utils`), you can use the EFS mount helper to mount EFS file systems on your EC2 Linux and Mac instances running a [supported distributions](using-amazon-efs-utils.md#efs-utils-supported-distros). Amazon EFS does not support mounting from EC2 Windows instances.

**Important**  
We recommend that you always use the most current version of `amazon-efs-utils` to ensure successful mounting. For example, versions of `amazon-efs-utils` prior to 2.3 do not support mounting with IPv6 addresses.

When mounting a file system, the mount helper defines a new network file system type, called `efs`, which is fully compatible with the standard `mount` command in Linux. The mount helper also supports mounting an EFS file system at instance boot time automatically by using entries in the `/etc/fstab` configuration file on EC2 Linux instances.

**Warning**  
Use the `_netdev` option, used to identify network file systems, when mounting your file system automatically. If `_netdev` is missing, your EC2 instance might stop responding. This result is because network file systems need to be initialized after the compute instance starts its networking. For more information, see [Automatic mounting fails and the instance is unresponsive](troubleshooting-efs-mounting.md#automount-fails).

You can mount a file system by specifying one of the following properties:
+ **File system DNS name** – If you use the file system DNS name, and the mount helper cannot resolve it, for example when you are mounting a file system in a different VPC, it will fall back to using the mount target IP address. For more information, see [Mounting EFS file systems from another AWS account or VPC](manage-fs-access-vpc-peering.md).
+ **File system ID** – If you use the file system ID, the mount helper resolves it to the local IP address of the mount target elastic network interface (ENI) without calling external resources.
+ **Mount target IP address** – You can use the IP address of one of the file systems mount targets.

You can find the value for all of these properties in the Amazon EFS console. The file system DNS name is found in the **Attach** screen.

When encryption of data in transit is declared as a mount option for your EFS file system, the mount helper initializes a client `stunnel` process, and a supervisor process called `amazon-efs-mount-watchdog`. The `amazon-efs-mount-watchdog` process monitors the health of TLS mounts, and is started automatically the first time an EFS file system is mounted over TLS. If your client is running on Linux, this process is managed by either `upstart` or `systemd` depending on your Linux distribution. For clients running on a supported macOS, it is managed by `launchd`.

`Stunnel` is an open-source multipurpose network relay. The client `stunnel` process listens on a local port for inbound traffic, and the mount helper redirects NFS client traffic to this local port. 

The mount helper uses TLS version 1.2 to communicate with your file system. Using TLS requires certificates, and these certificates are signed by a trusted Amazon Certificate Authority. For more information on how encryption works, see [Data encryption in Amazon EFS](encryption.md).

**Topics**
+ [

# Mount settings used by EFS mount helper
](mount-helper-setting.md)
+ [

# Getting support logs
](mount-helper-logs.md)
+ [

# Prerequisites for using the EFS mount helper
](mount-helper-prerequisites.md)
+ [

# Mounting on EC2 Linux instances using the EFS mount helper
](mounting-fs-mount-helper-ec2-linux.md)
+ [

# Mounting on EC2 Mac instances using the EFS mount helper
](mounting-fs-mount-helper-ec2-mac.md)
+ [

# Mounting EFS file systems from a different AWS Region
](mount-different-region.md)
+ [

# Mounting One Zone file systems
](mounting-one-zone.md)
+ [

# Mounting with IAM authorization
](mounting-IAM-option.md)
+ [

# Mounting with EFS access points
](mounting-access-points.md)
+ [

# Mounting EFS to multiple EC2 instances
](mount-multiple-ec2-instances.md)
+ [

# Mounting EFS file systems from another AWS account or VPC
](manage-fs-access-vpc-peering.md)

# Mount settings used by EFS mount helper


The Amazon EFS mount helper client uses the following mount options that are optimized for Amazon EFS:
+ `nfsvers=4.1` – used when mounting on EC2 Linux instances

  `nfsvers=4.0` – used when mounting on supported EC2 Mac instances running macOS Big Sur, Monterey, and Ventura
+ `rsize=1048576` – Sets the maximum number of bytes of data that the NFS client can receive for each network READ request to 1048576, the largest available, to avoid diminished performance.
+ `wsize=1048576` – Sets the maximum number of bytes of data that the NFS client can send for each network WRITE request to `1048576`, the largest available, to avoid diminished performance.
+ `hard` – Sets the recovery behavior of the NFS client after an NFS request times out, so that NFS requests are retried indefinitely until the server replies, to ensure data integrity.
+ `timeo=600` – Sets the timeout value that the NFS client uses to wait for a response before it retries an NFS request to 600 deciseconds (60 seconds) to avoid diminished performance.
+ `retrans=2` – Sets to 2 the number of times the NFS client retries a request before it attempts further recovery action.
+ `noresvport` – Tells the NFS client to use a new non-privileged Transmission Control Protocol (TCP) source port when a network connection is reestablished. Using the `noresvport` option helps to ensure that your EFS file system has uninterrupted availability after a reconnection or network recovery event.
+ `mountport=2049` – only used when mounting on EC2 Mac instances running macOS Big Sur, Monterey, and Ventura.

# Getting support logs


The EFS mount helper has built-in logging for your EFS file system. You can share these logs with AWS Support for troubleshooting purposes. You can find the logs stored in `/var/log/amazon/efs` on clients using the EFS mount helper. These logs are for the EFS mount helper, the stunnel process (disabled by default), and for the `amazon-efs-mount-watchdog` process that monitors the stunnel process.

**Note**  
The `amazon-efs-mount-watchdog` process ensures that each mount's stunnel process is running, and stops the stunnel process when the EFS file system is unmounted. If for some reason a stunnel process is terminated unexpectedly, the watchdog process will restart it.

You can change the log configuration in `/etc/amazon/efs/efs-utils.conf`. In order for any log changes to take effect, you need to unmount and remount the file system using the EFS mount helper. Log capacity for the mount helper and watchdog logs is limited to 20 MiB. Logs for the stunnel process are disabled by default.

**Important**  
You can enable logging for the stunnel process logs. However, enabling the stunnel logs can use up a nontrivial amount of space on your file system.

# Prerequisites for using the EFS mount helper
Prerequisites

You can mount an EFS file system on an Amazon EC2 instance using the Amazon EFS mount helper. To use the mount helper, you need the following:
+ **File system ID of the file system to mount** - The EFS mount helper resolves the file system ID to the local IP address of the mount target elastic network interface (ENI) without calling external resources.
+ **An EFS mount target** – You create mount targets in your virtual private cloud (VPC). If you create your file system in the console using the service recommended settings, a mount target is created in each Availability Zone in the AWS Region that the file system is in. For instructions to create mount targets, see [Managing mount targets](accessing-fs.md).
**Note**  
We recommend that you wait 60 seconds after the newly created mount target's lifecycle state is **available** before mounting the file system via DNS. This wait lets the DNS records propagate fully in the AWS Region where the file system resides.

  If you use a mount target in an Availability Zone different from that of your EC2 instance, you incur standard EC2 charges for data sent across Availability Zones. You also might see increased latencies for file system operations.
+ For mounting One Zone file systems from a different Availability Zone:
  + **The name of the file system's Availability Zone** – If you are mounting an EFS One Zone file system that is located in a different Availability Zone than the EC2 instance.
  + **Mount target DNS name** – Alternatively, you can specify the mount target's DNS name instead of the Availability Zone.
+ **An EC2 instance running one of the supported Linux or macOS distributions** – The supported distributions for mounting your file system with the mount helper are the following:
  + Amazon Linux 2
  + Amazon Linux 2023
  + Amazon Linux 2017.09 and newer
  + macOS Big Sur
  + Red Hat Enterprise Linux (and derivatives such as CentOS) version 7 and newer
  + Ubuntu 16.04 LTS and newer
**Note**  
EC2 Mac instances running macOS Big Sur support NFS 4.0 only.
+ **The EFS mount helper is installed on the EC2 instance** – The mount helper is a tool in the `amazon-efs-utils` package of utilities. For information about installing `amazon-efs-utils`, see [Installing the Amazon EFS client](using-amazon-efs-utils.md).
+ **The EC2 instance is in a VPC** – The connecting EC2 instance must be in a virtual private cloud (VPC) based on the Amazon VPC service. It also must be configured to use the DNS server provided by AWS. For information about the Amazon DNS server, see [DHCP option sets in Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) in the *Amazon VPC User Guide*.
+ **VPC has DNS hostnames enabled** – The VPC of the connecting EC2 instance must have DNS hostnames enabled. For more information, see [ DNS attributes for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-viewing) in the *Amazon VPC User Guide*. 
+ **For EC2 instances and file systems in different AWS Regions** – If the EC2 instance and the file system you are mounting are located in different AWS Regions, you will need to edit the `region` property in the `efs-utils.conf` file. For more information, see [Mounting EFS file systems from a different AWS Region](mount-different-region.md).

# Mounting on EC2 Linux instances using the EFS mount helper
Mounting on EC2 Linux

This procedure requires the following:
+ You have installed the `amazon-efs-utils` package on the Amazon EC2 instance. For more information, see [Manually installing the Amazon EFS client](installing-amazon-efs-utils.md).
+ You have created mount targets for the file system. For more information, see [Managing mount targets](accessing-fs.md).

**To mount your EFS file system using the mount helper on EC2 Linux instances**

1. Open a terminal window on your EC2 instance through Secure Shell (SSH), and log in with the appropriate user name. For more information, see [Connect to your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect.html) in the *Amazon EC2 User Guide*. 

1. Create a directory `efs` that you will use as the file system mount point using the following command:

   ```
   sudo mkdir efs
   ```

1. Run one of the following commands to mount your file system.
**Note**  
If the EC2 instance and the file system you are mounting are located in different AWS Regions, see [Mounting EFS file systems from a different AWS Region](mount-different-region.md) to edit the `region` property in the `efs-utils.conf` file.
   + To mount using the file system id:

     ```
     sudo mount -t efs file-system-id efs-mount-point/
     ```

     Use the ID of the file system you are mounting in place `file-system-id` and `efs` in place of *efs-mount-point*.

     ```
     sudo mount -t efs fs-abcd123456789ef0 efs/
     ```

     Alternatively, if you want to use encryption of data in transit, you can mount your file system with the following command.

     ```
     sudo mount -t efs -o tls fs-abcd123456789ef0:/ efs/
     ```
   + To mount using the file system DNS name:

     ```
     sudo mount -t efs -o tls file-system-dns-name efs-mount-point/
     ```

     ```
     sudo mount -t efs -o tls fs-abcd123456789ef0.efs.us-east-2.amazonaws.com efs/
     ```
   + To mount using the mount target IP address:

     ```
     sudo mount -t efs -o tls,mounttargetip=mount-target-ip file-system-id efs-mount-point/
     ```

     ```
     sudo mount -t efs -o tls,mounttargetip=192.0.2.0 fs-abcd123456789ef0 efs/
     ```

   You can view and copy the exact commands to mount your file system in the **Attach** dialog box.

   1. In the Amazon EFS console, choose the file system that you want to mount to display its details page.

   1. To display the mount commands to use for this file system, choose **Attach** in the upper right.

      The **Attach** screen displays the exact commands to use for mounting the file system in the following ways:
      + (**Mount via DNS**) Using the file system's DNS name with the EFS mount helper or an NFS client.
      + (**Mount via IP**) Using the mount target IP address in the selected Availability Zone with an NFS client.

# Mounting on EC2 Mac instances using the EFS mount helper
Mounting on EC2 Mac

This procedure requires the following:
+ You have installed the `amazon-efs-utils` package on the Amazon EC2 Mac instance. For more information, see [Installing the Amazon EFS client on EC2 Mac instances running macOS Big Sur, macOS Monterey, or macOS Ventura](installing-amazon-efs-utils.md#install-efs-utils-macOS).
+ You have created mount targets for the file system. You can create mount targets at file system creation and add them to existing file systems. For more information, see [Managing mount targets](accessing-fs.md).
+ You are mounting the file system on an EC2 Mac instance running macOS Big Sur, Monterey, or Ventura. Other macOS versions are not supported.

**Note**  
Only EC2 Mac instances running macOS Big Sur, Monterey, and Ventura are supported. Other macOS versions are not supported for use with Amazon EFS.

**To mount your EFS file system using the EFS mount helper on EC2 Mac instances running macOS Big Sur, Monterey, or Ventura**

1. Open a terminal window on your EC2 Mac instance through Secure Shell (SSH), and log in with the appropriate user name. For more information, see [Connect to your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect.html) in the *Amazon EC2 User Guide*. 

1. Create a directory to use as the file system mount point using the following command:

   ```
   sudo mkdir efs
   ```

1. Run the following command to mount your file system. 
**Note**  
By default, the EFS mount helper uses encryption in transit when mounting on EC2 Mac instances, whether or not you use the `tls` option in the mount command.

   ```
   sudo mount -t efs file-system-id efs-mount-point/
   ```

   ```
   sudo mount -t efs fs-abcd123456789ef0 efs/
   ```

   You can also use the `tls` option when mounting.

   ```
   sudo mount -t efs -o tls fs-abcd123456789ef0:/ efs
   ```

   To mount a file system on an EC2 Mac instance without using encryption in transit, use the `notls` option, as shown in the following command.

   ```
   sudo mount -t efs -o notls file-system-id efs-mount-point/
   ```

   You can view and copy the exact commands to mount your file system in the management console's **Attach** dialog box, described as follows.

   1. In the Amazon EFS console, choose the file system that you want to mount to display its details page.

   1. To display the mount commands to use for this file system, choose **Attach** in the upper right.

      The **Attach** screen displays the exact commands to use for mounting the file system in the following ways:
      + (**Mount via DNS**) Using the file system's DNS name with the EFS mount helper or an NFS client.
      + (**Mount via IP**) Using the mount target IP address in the selected Availability Zone with an NFS client.

# Mounting EFS file systems from a different AWS Region
Mounting from a different Region

To mount your EFS file system from an EC2 instance that is in a different AWS Region than the file system, you must edit the `region` property value in the `efs-utils.conf` file.

**To edit the `region` property in `efs-utils.conf`**

1. Access the terminal for your EC2 instance through Secure Shell (SSH), and log in with the appropriate user name. For more information, see [Connect to your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect.html) in the *Amazon EC2 User Guide*. 

1. Locate the `/etc/amazon/efs/efs-utils.conf` file, and open it using your preferred editor.

1. Locate the following line:

   ```
   #region = us-east-1
   ```

   1. Uncomment the line.

   1. If the file system is not located in the `us-east-1` Region, replace `us-east-1` with the ID of the Region in which the file system is located.

   1. Save the changes.

1. Add a host entry for the cross region mount. For more information on how to do this, see [Step 3: Add a host entry for the mount target](efs-different-vpc.md#wt6-efs-utils-step3).

1. Mount the file system using the EFS mount helper for [Linux](mounting-fs-mount-helper-ec2-linux.md) or [Mac](mounting-fs-mount-helper-ec2-mac.md) instances.

# Mounting One Zone file systems
Mounting One Zone file systems

EFS One Zone file systems support only a single mount target which is located in the same Availability Zone as the file system. You cannot add additional mount targets. This section describes things to consider when mounting One Zone file systems.

You can avoid data transfer charges between Availability Zones and achieve better performance by accessing an EFS file system using an Amazon EC2 compute instance that is located in the same Availability Zone as that of the file system's mount target. 

The procedures in this section require the following:
+ You have installed the `amazon-efs-utils package` on the EC2 instance. For more information, see [Installing the Amazon EFS client](using-amazon-efs-utils.md).
+ You have created a mount target for the file system. For more information, see [Managing mount targets](accessing-fs.md).

## Mounting One Zone file systems on EC2 in a different Availability Zone
Mount One Zone file systems from another Availability Zone

If you are mounting a One Zone file system on an Amazon EC2 instance that is located in a different Availability Zone, you have to specify the file system's Availability Zone name or the DNS name of the file system's mount target in the mount helper mount command.

Create a directory called `efs` to use as the file system mount point using the following command:

```
sudo mkdir efs
```

Use the following command to mount the file system using the EFS mount helper. The command specifies the file system's Availability Zone name.

```
sudo mount -t efs -o az=availability-zone-name,tls file-system-id mount-point/
```

This is the command with sample values:

```
sudo mount -t efs -o az=us-east-1a,tls fs-abcd1234567890ef efs/
```

The following command mounts the file system, specifying the DNS name of the file system's mount target.

```
sudo mount -t efs -o tls mount-target-dns-name mount-point/
```

This is the command with an example mount target DNS name. 

```
sudo mount -t efs -o tls us-east-1a.fs-abcd1234567890ef9.efs.us-east-1.amazonaws.com efs/
```

### Mounting One Zone file systems in a different Availability Zone automatically with EFS mount helper


If you are using `/etc/fstab` to mount an EFS One Zone file system on an EC2 instance that is located in a different Availability Zone, you have to specify the file system's Availability Zone name or the DNS name of the file system's mount target in the `/etc/fstab` entry.

```
availability-zone-name.file-system-id.efs.aws-region.amazonaws.com:/ efs-mount-point efs defaults,_netdev,noresvport,tls 0 0
```

```
us-east-1a.fs-abc123def456a7890.efs.us-east-1.amazonaws.com:/ efs-one-zone efs defaults,_netdev,noresvport,tls 0 0
```

### Mounting One Zone file systems automatically with NFS


If you are using `/etc/fstab` to mount an EFS file system using One Zone storage on an EC2 instance that is located in a different Availability Zone, you have to specify the file system's Availability Zone name with the file system's DNS name in the `/etc/fstab` entry.

```
availability-zone-name.file-system-id.efs.aws-region.amazonaws.com:/ efs-mount-point nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,_netdev 0 0
```

```
us-east-1a.fs-abc123def456a7890.efs.us-east-1.amazonaws.com:/ efs-one-zone nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,_netdev 0 0
```

For more information about how to edit the `/etc/fstab` file, and the values used in this command, see [Automatically mounting EFS file systemsEnabling automatic mounting on EC2 Linux or Mac instances using NFS](nfs-automount-efs.md).

## Mounting file systems with One Zone file system on other AWS compute instances
Mounting One Zone file systems on other compute instances

When you use a One Zone file system with Amazon Elastic Container Service, Amazon Elastic Kubernetes Service, or AWS Lambda, you need to configure the service to use the same Availability Zone that the EFS file system is located in, illustrated as follows, and described in the following sections.

![\[AWS compute instances connecting to an EFS One Zone file system.\]](http://docs.aws.amazon.com/efs/latest/ug/images/efs-mount-onezone.png)


### Connecting from Amazon Elastic Container Service


You can use EFS file systems with Amazon ECS to share file system data across your fleet of container instances so your tasks have access to the same persistent storage, no matter the instance on which they land. To use EFS One Zone file systems with Amazon ECS you should choose only subnets that are in the same Availability Zone as your file system when launching your task. For more information, see [Amazon EFS volumes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html) in the *Amazon Elastic Container Service Developer Guide*.

### Connecting from Amazon Elastic Kubernetes Service


When mounting an One Zone file system from Amazon EKS, you can use the Amazon EFS [Container Storage Interface](https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html) (CSI) driver, which supports EFS access points, to share a file system between multiple pods in an Amazon EKS or self-managed Kubernetes cluster. The Amazon EFS CSI driver is installed in the Fargate stack. When using the Amazon EFS CSI driver with EFS One Zone file systems, you can use the `nodeSelector` option when launching your pod to ensure it gets scheduled within the same Availability Zone as your file system.

### Connecting from AWS Lambda


You can use Amazon EFS with AWS Lambda to share data across function invocations, read large reference data files, and write function output to a persistent and shared store. Lambda securely connects the function instances to the EFS mount targets that are in the same Availability Zone and subnet. When you use Lambda with One Zone file systems, configure your function to only launch invocations into subnets that are in the same Availability Zone as your file system.

# Mounting with IAM authorization
Mounting with IAM authorization

To mount your EFS file system on Linux instances using AWS Identity and Access Management (IAM) authorization, use the EFS mount helper. For more information about IAM authorization for NFS clients, see [Using IAM to control access to file systems](iam-access-control-nfs-efs.md).

You need to create a directory to use as the file system mount point in the following sections. You can use the following command to create a mount point directory `efs`:

```
sudo mkdir efs
```

You can then replace instances of `efs-mount-point` with `efs`.

## Mounting with IAM using an EC2 instance profile


If you are mounting with IAM authorization to an Amazon EC2 instance with an instance profile, use the `tls` and `iam` mount options, shown following.

```
$ sudo mount -t efs -o tls,iam file-system-id efs-mount-point/
```

To automatically mount with IAM authorization to an EC2 instance that has an instance profile, add the following line to the `/etc/fstab` file on the EC2 instance.

```
file-system-id:/ efs-mount-point efs _netdev,tls,iam 0 0
```

## Mounting with IAM using a named profile


You can mount with IAM authorization using the IAM credentials located in the AWS CLI credentials file `~/.aws/credentials`, or the AWS CLI config file `~/.aws/config`. If `"awsprofile"` is not specified, the "default" profile is used.

To mount with IAM authorization to a Linux instance using a credentials file, use the `tls`, `awsprofile`, and `iam` mount options, shown following.

```
$ sudo mount -t efs -o tls,iam,awsprofile=namedprofile file-system-id efs-mount-point/
```

To automatically mount with IAM authorization to a Linux instance using a credentials file, add the following line to the `/etc/fstab` file on the EC2 instance.

```
file-system-id:/ efs-mount-point efs _netdev,tls,iam,awsprofile=namedprofile 0 0
```

# Mounting with EFS access points
Mounting with EFS access points

You can mount an EFS file system using an EFS access point only by using the EFS mount helper. 

**Note**  
You must configure one or more mount targets for your file system when mounting a file system using EFS access points.

When you mount a file system using an access point, the mount command includes the `access-point-id` and the `tls` mount option in addition to the regular mount options. An example is shown following. 

```
$ sudo mount -t efs -o tls,accesspoint=access-point-id file-system-id efs-mount-point
```

To automatically mount a file system using an access point, add the following line to the `/etc/fstab` file on the EC2 instance.

```
file-system-id efs-mount-point efs _netdev,tls,accesspoint=access-point-id 0 0
```

For more information about EFS access points, see [Working with access points](efs-access-points.md).

# Mounting EFS to multiple EC2 instances
Mounting multiple EC2 instances

You can mount EFS file systems to multiple Amazon EC2 instances remotely and securely without having to log in to the instances by using the AWS Systems Manager Run Command. For more information about AWS Systems Manager Run Command, see [AWS Systems Manager Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html) in the *AWS Systems Manager User Guide*. The following prerequisites are required before mounting EFS file systems using this method:

1. The EC2 instances are launched with an instance profile that includes the `AmazonElasticFileSystemsUtils` permissions policy. For more information, see [Step 1: Configure an IAM instance profile with the required permissions](setting-up-aws-sys-mgr.md#configure-sys-mgr-iam-instance-profile).

1. Version 1.28.1 or later of the Amazon EFS client (amazon-efs-utils package) is installed on the EC2 instances. You can use AWS Systems Manager to automatically install the package on your instances. For more information, see [Step 2: Configure an association used by State Manager](setting-up-aws-sys-mgr.md#config-sys-mgr-association).

**To mount multiple EFS file systems to multiple EC2 instances using the console**

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Run Command**.

1. Choose **Run a command**.

1. Enter **AWS-RunShellScript** in the **Commands** search field.

1. Select **AWS-RunShellScript**.

1. In **Command parameters** enter the mount command to use for each EFS file system that you want to mount. For example:

   ```
   sudo mount -t efs -o tls fs-12345678:/ /mnt/efs
   sudo mount -t efs -o tls,accesspoint=fsap-12345678 fs-01233210 /mnt/efs
   ```

   For more information about EFS mount commands using the Amazon EFS client, see [Mounting on EC2 Linux instances using the EFS mount helper](mounting-fs-mount-helper-ec2-linux.md) or [Mounting on EC2 Mac instances using the EFS mount helper](mounting-fs-mount-helper-ec2-mac.md).

1. Select the target AWS Systems Manager managed EC2 instances that you want the command to run on.

1. Make any other additional settings you would like. Then choose **Run** to run the command and mount the EFS file systems specified in the command.

   Once you run the command, you can see its status in the command history.

# Mounting EFS file systems from another AWS account or VPC
Mounting from another account or VPC

You can mount your EFS file system using IAM authorization for NFS clients and EFS access points using the EFS mount helper. By default, the EFS mount helper uses domain name service (DNS) to resolve the IP address of your EFS mount target. If you are mounting the file system from a different account or virtual private cloud (VPC), you need to resolve the EFS mount target manually.

Following, you can find instructions for determining the correct EFS mount target IP address to use for your NFS client. You can also find instructions for configuring the client to mount the EFS file system using that IP address.

**Topics**
+ [

# Mounting EFS file systems from another AWS account
](mount-fs-diff-account-same-vpc.md)
+ [

# Mounting EFS file systems from another VPC
](mount-fs-different-vpc.md)

# Mounting EFS file systems from another AWS account
Mounting from another AWS account

Using shared VPCs, you can mount an EFS file system that is owned by one AWS account from Amazon EC2 instances that are owned by a different AWS account. For more information about setting up a shared VPC, see [ Share your VPC with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html) in the *Amazon VPC Peering Guide*. 

After you set up VPC sharing, the EC2 instances can mount the EFS file system using Domain Name System (DNS) name resolution or the EFS mount helper. We recommend using the EFS mount helper to mount your EFS file systems.

# Mounting EFS file systems from another VPC
Mounting from another VPC

When you use a VPC peering connection or transit gateway to connect VPCs, Amazon EC2 instances that are in one VPC can access EFS file systems in another VPC, even if the VPCs belong to different accounts. 

You can't use DNS name resolution for EFS mount points in another VPC. To mount your EFS file system, use the IP address of the mount points in the corresponding Availability Zone.

Alternatively, you can use Amazon Route 53 as your DNS service. In Route 53, you can resolve the EFS mount target IP addresses from another VPC by creating a private hosted zone and resource record set. For more information on how to do so, see [Working with private hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) in the *Amazon Route 53 Developer Guide*.

## Prerequisites


Before using the following the procedure, take these steps:
+ Install the Amazon EFS client, part of the `amazon-efs-utils` set of utilities on the compute instance you're mounting the EFS file system on. You use the EFS mount helper, which is included in `amazon-efs-utils`, to mount the file system. For instructions on installing `amazon-efs-utils`, see [Installing the Amazon EFS client](using-amazon-efs-utils.md).
+ Allow the `ec2:DescribeAvailabilityZones` action in the IAM policy for the IAM role you attached to the instance. We recommend that you attach the AWS managed policy `AmazonElasticFileSystemsUtils` to an IAM entity to provide the necessary permissions for the entity.
+ When mounting from another AWS account, update the file system resource policy to allow the `elasticfilesystem:DescribeMountTarget` action for the principal ARN of other AWS account. For example:

  ```
  {
      "Id": "access-point-example03",
      "Statement": [
          {
              "Sid": "access-point-statement-example03",
              "Effect": "Allow",
              "Principal": {"AWS": "arn:aws:iam::555555555555:root"},
              "Action": "elasticfilesystem:DescribeMountTargets",
              "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678"
          }
      ]
  }
  ```

  For more information about EFS file system resource policies, see [Resource-based policies within Amazon EFS](security_iam_service-with-iam.md#security_iam_service-with-iam-resource-based-policies).
+ Install botocore. The EFS client uses botocore to retrieve the mount target IP address when the file system DNS name cannot be resolved when mounting a file system in another VPC. For more information, see [Install botocore](https://github.com/aws/efs-utils#Install-botocore) in the `amazon-efs-utils` README file.
+ Set up either a VPC peering connection or a VPC transit gateway. 

  You connect the client's VPC and your EFS file system's VPC using either a VPC peering connection or a VPC transit gateway. When you use a VPC peering connection or transit gateway to connect VPCs, Amazon EC2 instances that are in one VPC can access EFS file systems in another VPC, even if the VPCs belong to different accounts.

  A *transit gateway *is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information about using VPC transit gateways, see [Getting Started with transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html) in the *Amazon VPC Transit Gateways Guide*.

  A *VPC peering connection* is a networking connection between two VPCs. This type of connection enables you to route traffic between them using private Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses. You can use VPC peering to connect VPCs within the same AWS Region or between AWS Regions. For more information on VPC peering, see [What is VPC Peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) in the *Amazon VPC Peering Guide*.

To ensure high availability of your file system, we recommend that you always use an EFS mount target IP address that is in the same Availability Zone as your NFS client. If you're mounting an EFS file system that is in another account, ensure that the NFS client and EFS mount target are in the same Availability Zone ID. This requirement applies because AZ names can differ from one account to another.

**To mount an EFS file system in another VPC using IAM or an access point**

1. Connect to your EC2 instance. For more information, see [Connect to your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect.html) in the *Amazon EC2 User Guide*.

1. Create a directory for mounting the file system using the following command.

   ```
   $ sudo mkdir /mnt/efs
   ```

1. To mount the file system using IAM authorization, use the following command:

   ```
   $ sudo mount -t efs -o tls,iam file-system-dns-name /mnt/efs/
   ```

   For more information about using IAM authorization with EFS, see [Using IAM to control access to file systems](iam-access-control-nfs-efs.md).

   To mount the file system using an EFS access point, use the following command:

   ```
   $ sudo mount -t efs -o tls,accesspoint=access-point-id file-system-dns-name /mnt/efs/
   ```

   For more information about EFS access points, see [Working with access points](efs-access-points.md).

## Mounting EFS file systems from a different AWS Region


If you are mounting your EFS file system from another VPC that is in a different AWS Region than the file system, you will need to edit the `efs-utils.conf` file. In `/dist/efs-utils.conf`, locate the following lines:

```
#region = us-east-1
```

Uncomment the line, and replace the value for the ID of the region in which the file system is located, if it is not in `us-east-1`.