# Replicating EFS file systems Replicating file systems For expanded resilience and data protection, you can replicate your EFS file system in an AWS Region. When you enable replication on an EFS file system, Amazon EFS automatically and transparently replicates the data and metadata on the source file system to a destination file system. In the event of a disaster or when performing game day exercises, you can fail over to your replica file system. To resume operations, you can then fail back to the primary file system. To manage the process of creating the destination file system and keeping it synced with the source file system, Amazon EFS uses a *replication configuration*. After you create the replication configuration, Amazon EFS automatically keeps the source and destination file systems synchronized. Changes made to the source file system are not transferred to the destination file system in a point-in-time consistent manner. Instead they're transferred based on the **Last synced time** for the replication. The **Last sync time** indicates when the last successful sync between the source and destination was completed. Changes made to your source file system as of the last synced time are replicated to the destination file system, while changes made to the source file system after the last synced time may not be replicated. For more information, see [Viewing replication details](monitoring-replication-status.md). Replication is available in all AWS Regions in which Amazon EFS is available. To replicate an EFS file system in a Region that is disabled by default, you must first opt in to the Region. For more information, see [Specify which AWS Regions your account can use](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#rande-manage-enable) in the *AWS General Reference Guide*. If you opt out of a Region later, Amazon EFS pauses all replication activities for the Region. To resume replication activities for the Region, opt in to the AWS Region again. **Note** Replication does not support using tags for attribute-based access control (ABAC). **Topics** + [ ## Costs ](#efs-replication-costs) + [ ## Replication performance ](#efs-replication-performance) + [ ## Required IAM permissions ](#efs-replication-permissions) + [ # Configuring replication to new EFS file system ](create-replication.md) + [ # Configuring replication to an existing EFS file system ](replicate-existing-destination.md) + [ # Replicating EFS file systems across AWS accounts ](cross-account-replication.md) + [ # Viewing replication details ](monitoring-replication-status.md) + [ # Deleting replication configurations ](delete-replications.md) + [ # Using the replica ](replication-fail-over.md) ## Costs To facilitate replication, Amazon EFS creates hidden directories and metadata on the destination file system. These equate to approximately 12 mebibytes (MiB) of metered data for which you are billed. For more information about metering file system storage, see [How Amazon EFS reports file system and object sizes](metered-sizes.md). ## Replication performance When you create new replications or reverse the direction of existing replications during the failback process, Amazon EFS performs an initial sync, which includes a series of one-time setup actions to support the replication. Replicated data is accessible in the destination file system only after the initial sync completes. The amount of time that the initial sync takes to finish depends on factors such as the size of the source file system and the number of files in it. After the initial replication is finished, Amazon EFS maintains a Recovery Point Objective (RPO) of 15 minutes for most file systems. However, if the source file system has files that change very frequently and has either more than 100 million files or files that are larger than 100 GB, replication may take longer than 15 minutes. For information about monitoring when the last replication successfully finished, see [Viewing replication details](monitoring-replication-status.md). You can monitor when the last successful sync occurred using the console, the AWS Command Line Interface (AWS CLI), the API, and Amazon CloudWatch. In CloudWatch, use the [TimeSinceLastSync](efs-metrics.md) EFS metric. For more information, see [Viewing replication details](monitoring-replication-status.md). ## Required IAM permissions Amazon EFS uses either the EFS service-linked role named `AWSServiceRoleForAmazonElasticFileSystem` or the IAM role that you specify to synchronize replication between the source and destination file systems. To provide an IAM role, the IAM user or role creating the replication configuration must have `iam:PassRole` permission. For more information, see [Grant a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *AWS Identity and Access Management User Guide*. + For more information about the `iam:CreateServiceLinkedRole`, see the example in [Using service-linked roles for Amazon EFS](using-service-linked-roles.md). + For more information about a custom IAM role – see [Create an IAM role with a custom trust policy](cross-account-replication.md#replication-create-iam-role). **Note** If you are performing cross-account replication, then you must provide an IAM role when you create the replication configuration. Using the service-linked role is not permitted. For more information, see [Replicating EFS file systems across AWS accounts](cross-account-replication.md). The service-linked role or IAM role that you provide when creating the replication configuration must have the following permissions for replication. + `elasticfilesystem:DescribeFileSystems` + `elasticfilesystem:CreateFileSystem` + `elasticfilesystem:CreateReplicationConfiguration` + `elasticfilesystem:DeleteReplicationConfiguration` + `elasticfilesystem:DescribeReplicationConfigurations` You can use the `AmazonElasticFileSystemFullAccess` managed policy to automatically get all required EFS permissions. For more information, see [AWS managed policy: AmazonElasticFileSystemFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonElasticFileSystemFullAccess). # Configuring replication to new EFS file system Configuring replication to new file system Amazon EFS automatically creates a new file system and copies the data and metadata on the source file system to a new read-only destination file system in the AWS Region that you choose. When you replicate to a new file system, you choose the file system type and the AWS Key Management Service (AWS KMS) key to use for encryption. Additionally, Amazon EFS does not create any mount targets when it creates the destination file system. After you create the replication configuration, you must [create one or more mount targets](accessing-fs.md) to [mount a destination file system](efs-mount-helper.md). **Note** A file system can be part of only one replication configuration. You cannot use a destination file system as the source file system in another replication configuration. + **File system type** – The file system type determines the availability and durability with which the Amazon EFS file system stores data within an AWS Region. + Choose **Regional** to create a file system that stores data and metadata redundantly across all Availability Zones within the AWS Region. + Choose **One Zone** to create a file system that stores data and metadata redundantly within a single Availability Zone. For more information about file system types, see [EFS file system types](features.md#file-system-type). + **Encryption** – All destination file systems are created with encryption at rest enabled. You can specify the AWS KMS key that is used to encrypt the destination file system. If you don't specify a KMS key, your service-managed KMS key for Amazon EFS is used. **Important** After the destination file system is created, you cannot change the KMS key. The destination file system is created with default settings based on your source file system. Additional settings can be changed after creation. + **Automatic backups** – For destination file systems using One Zone storage, automatic backups are enabled by default. After the file system is created, you can change the automatic backup setting. For more information, see [Managing automatic backups of EFS file systems](automatic-backups.md). + **Performance mode** – The destination file system's **Performance mode** matches that of the source file system, unless the destination file system uses One Zone storage. In that case, the **General Purpose** mode is used. The performance mode cannot be changed. + **Throughput mode** – The destination file system's **Throughput mode** matches that of the source file system. After the file system is created, you can change the mode. If the source file system's throughput mode is **Provisioned**, then the destination file system's provisioned throughput amount matches that of the source file system, unless the source file's provisioned amount exceeds the limit for the destination file system's Region. If the source file system's provisioned amount exceeds the Region limit for the destination file system, then the destination file system's provisioned throughput amount is the Region limit. For more information, see [Amazon EFS quotas that you can increase](limits.md#soft-limits). + **Lifecycle management** – Lifecycle management is not enabled on the destination file system. After the destination file system is created, you can enable it. For more information, see [Managing storage lifecycle](lifecycle-management-efs.md). ## Step 1: Create the replication configuration The first step in replicating to a new file system is to create the replication configuration.Data replicated to the destination file system is accessible only after the initial sync completes. The initial sync duration depends on factors such as the size of the source file system and the number of files in it. For more information about replication performance, see [Replication performance](efs-replication.md#efs-replication-performance). ### Using the console 1. Sign in to the AWS Management Console and open the Amazon EFS console at [ https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/). 1. Open the file system that you want to replicate: 1. In the left navigation pane, choose **File systems**. 1. In the **File systems** list, choose the file system that you want to replicate. The file system that you choose cannot be a source or destination file system in an existing replication configuration. 1. Choose the **Replication** tab. 1. In the **Replication** section, choose **Create replication**. 1. In the **Replication settings** section, define the replication settings: 1. For **Replication configuration**, choose whether to replicate to a new or existing file system. 1. For **Destination AWS Region**, choose the AWS Region in which to replicate the file system. 1. In the **Destination file system settings** section, define the destination file system settings. 1. For **File system type**, choose a storage option for the file system: + To create a file system that stores data redundantly across multiple geographically separated Availability Zones within an AWS Region, choose **Regional**. + To create a file system that stores data redundantly within a single Availability Zone in an AWS Region, choose **One Zone**, and then select the Availability Zone. For more information, see [EFS file system types](features.md#file-system-type). **Note** One Zone file systems are not available in all Availability Zones in the AWS Regions where Amazon EFS is available. 1. For **Encryption**, encryption of data at rest is automatically enabled on the destination file system. By default, Amazon EFS uses your AWS Key Management Service (AWS KMS) service key (`aws/elasticfilesystem`). To use a different KMS key, choose the KMS key or enter the key's Amazon Resource Name (ARN). **Important** After the file system is created, you cannot change the KMS key. ### Create the replication configuration (AWS CLI) This section provides examples for creating a replication configuration in the AWS CLI using the `create-replication-configuration` command. The equivalent API command is [CreateReplicationConfiguration](API_CreateReplicationConfiguration.md). **Example : Create a replication configuration for a Regional destination file system** The following example creates a replication configuration for the file system `fs-0123456789abcdef1`. The example uses the `Region` parameter to create a destination file system in the `eu-west-2` AWS Region. The `KmsKeyId` parameter specifies the KMS key ID to use when encrypting the destination file system: ``` aws efs create-replication-configuration \ --source-file-system-id fs-0123456789abcdef1 \ --destinations "[{\"Region\":\"eu-west-2\", \"KmsKeyId\":\"arn:aws:kms:us-east-2:111122223333:key\/abcd1234-ef56-ab78-cd90-1111abcd2222\"}]" ``` The AWS CLI responds as follows: ``` { "SourceFileSystemArn": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1", "SourceFileSystemRegion": "us-east-1", "Destinations": [ { "Status": "ENABLING", "FileSystemId": "fs-0123456789abcde22", "Region": "eu-west-2" } ], "SourceFileSystemId": "fs-0123456789abcdef1", "CreationTime": 1641491892.0, "OriginalSourceFileSystemArn": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1" } ``` **Example : Create a replication configuration for a One Zone destination file system** The following example creates a replication configuration for the file system *`fs-0123456789abcdef1`*. The example uses the `AvailabilityZoneName` parameter to create a One Zone destination file system in the `us-west-2a` Availability Zone. Because no KMS key is specified, the destination file system is encrypted using the account's default AWS KMS service key (`aws/elasticfilesystem`). ``` aws efs create-replication-configuration \ --source-file-system-id fs-0123456789abcdef1 \ --destinations AvailabilityZoneName=us-west-2a ``` ## Step 2: Mount the destination file system Amazon EFS does not create any mount targets when it creates the destination file system. To mount the destination file system, you must create one or more mount targets. For more information, see [Mounting EFS file systems](mounting-fs.md). # Configuring replication to an existing EFS file system Configuring replication to existing file system Amazon EFS replicates the data and metadata on the source file system to the destination file system and AWS Region that you choose. During replication, Amazon EFS identifies data differences between the file systems and applies the differences to the destination file system. To replicate to an existing file system, perform the following steps. **Topics** + [ ## Step 1: Disable the file system's replication overwrite protection ](#replication-overwrite) + [ ## Step 2: Create the replication configuration ](#replicate-existing-step) **Note** A file system can be part of only one replication configuration. You cannot use a destination file system as the source file system in another replication configuration. ## Step 1: Disable the file system's replication overwrite protection When you create an Amazon EFS file system, its replication overwrite protection is enabled by default. Replication overwrite protection prevents the file system from being used as the destination in a replication configuration. Before you can use the file system as the destination in a replication configuration, you must disable the protection. If you delete the replication configuration, the file system's replication overwrite protection is re-enabled and the file system becomes writeable. The status of the replication overwrite protection for an Amazon EFS file system can have one of the values described in the following table. | File system state | Description | | --- | --- | | ENABLED | The file system cannot be used as the destination file system in a replication configuration. The file system is writeable. Replication overwrite protection is ENABLED by default. | | DISABLED | The file system can be used as the destination file system in a replication configuration. | | REPLICATING | The file system is being used as the destination file system in a replication configuration. The file system is read-only and is only modified only by Amazon EFS during replication. | ### Required permission Disabling replication overwrite protection requires permissions for the `elasticfilesystem:UpdateFileSystemProtection` action. For more information, see [AWS managed policy: AmazonElasticFileSystemFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonElasticFileSystemFullAccess). ### Using the console To disable replication overwrite protection 1. Sign in to the AWS Management Console and open the Amazon EFS console at [ https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/). 1. In the left navigation pane, choose **File systems**. 1. In the **File systems** list, choose the Amazon EFS file system that you want to use as the destination file system in a replication configuration. 1. In the **File system protection** section, turn off **Replication Overwrite Protection**. ### To disable replication overwrite protection (AWS CLI) To disable replication overwrite protection In the following example, the `update-file-system-protection` CLI command disables the replication overwrite protection for the specified file system. The equivalent API command is [ UpdateFileSystemProtection](https://docs.aws.amazon.com/efs/latest/ug/limits.html#API_UpdateFileSystemProtection). ``` aws efs update-file-system-protection --file-system-id fs-0a8b2be428114d97c --replication-overwrite-protection DISABLED ``` The AWS CLI responds as follows. ``` { "ReplicationOverwriteProtection": "DISABLED" } ``` ## Step 2: Create the replication configuration After you disable replication overwrite protection on the destination file system, you can create the replication configuration. When replicating to an existing file system, the destination file system can be in the same account or in a different account than the source file system. Before creating a replication configuration for Amazon EFS, review the following important requirements and considerations: + If the source file system is encrypted, then the destination file system must also be encrypted. Additionally, if the source file is unencrypted and the destination file system is encrypted, then you cannot fail back to the source destination after performing failover. For more information about encryption, see [Data encryption in Amazon EFS](encryption.md). + When you initially configure replication to an existing file system, Amazon EFS writes data to or removes existing data from the destination file system to match data in the source file system. If you don't want to change data in the destination file system, then you should replicate to a new file system instead. For more information, see [Configuring replication to new EFS file system](create-replication.md). + Data replicated to the destination file system is accessible only after the initial sync completes. The sync duration depends on factors such as the size of the source file system and the number of files in it. For more information about replication performance, see [Replication performance](efs-replication.md#efs-replication-performance). ### Prerequisites Have a copy of the destination file system ID (for same-account replication) or the destination file system ARN (for cross-account replication) that you want to use. If the destination file system is in a different AWS account than the source file system, create an IAM role that allows Amazon EFS to perform replication and assign resource policies to the file systems. For more information, see [Replicating EFS file systems across AWS accounts](cross-account-replication.md). ### Using the console 1. Sign in to the AWS Management Console and open the Amazon EFS console at [ https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/). 1. Open the file system that you want to replicate: 1. In the left navigation pane, choose **File systems**. 1. In the **File systems** list, choose the Amazon EFS file system that you want to replicate. The file system that you choose cannot be a source or destination file system in an existing replication configuration. 1. Choose the **Replication** tab. 1. In the **Replication** section, choose **Create replication**. 1. For **Replication configuration**, choose existing file system. 1. Choose the destination file system. + To replicate to a file system that's in the same AWS account as the source file system: 1. Select **Choose a file system in this account** and, for **Destination AWS Region**, select the AWS Region to which to replicate the file system. 1. Choose **Browse EFS**, and then select the file system. The path to your destination file system appears in the **Destination** box. + To replicate to a file system that’s in a different AWS account than the source file system: 1. Choose **Specify a file system in another account**. 1. For **Destination file system ARN**, enter the Amazon Resource Name (ARN) of the destination file system. **Note** If replication overwrite protection is enabled on the file system, then a warning displays. Choose **Disable protection** to open the file system in a new tab and turn off its **Replication overwrite protection**. After disabling the protection, return to the **Create replication** tab and click the **Refresh** button to clear the message. 1. For **IAM role**, enter the ARN of the IAM role that allows Amazon EFS to replicate to the destination file system. This is optional for same-account replication, but required for cross-account replication. For more information, see [Replicating EFS file systems across AWS accounts](cross-account-replication.md). 1. Choose **Create replication**, type **confirm** in the confirmation message input box, and then choose **Create replication**. The **Replication** section shows the replication details. ### To create the replication configuration (AWS CLI) This section provides examples for creating a replication configuration in the AWS CLI using the `create-replication-configuration` command. The equivalent API command is [CreateReplicationConfiguration](API_CreateReplicationConfiguration.md). **Example : Create a replication configuration to an existing destination file system in another Region** The following example creates a replication configuration where the file system ID `fs-0123456789abcdef1` is replicated to file system ID **fs-0a8b2be428114d97c** in the `eu-west-2` AWS Region. ``` aws efs create-replication-configuration \ --source-file-system-id fs-0123456789abcdef1 \ --destinations "[{\"Region\":\"eu-west-2\",\"FileSystemId\":\"fs-0a8b2be428114d97c\"}]" ``` The AWS CLI responds as follows: ``` { "SourceFileSystemId": "fs-0123456789abcdef1", "SourceFileSystemRegion": "us-east-1", "SourceFileSystemArn": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1", "OriginalSourceFileSystemArn": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1", "CreationTime": "2024-10-20T20:40:13+00:00", "Destinations": [ { "Status": "ENABLING", "FileSystemId": "fs-0a8b2be428114d97c", "Region": "eu-west-2", "OwnerId": "123456789012, } ], "SourceFileSystemOwnerId": "123456789012" } ``` **Example : Create a cross-account replication configuration** The following example creates a replication configuration where the source and destination file systems are in different AWS accounts. The source file system ID *`fs-0123456789abcdef1`* in account *555666777888* is replicated to file system ID *`fs-0a8b2be428114d97c`* in account *123456789012*. The example specifies the Amazon Resource Name (ARN) of the destination file system and the ARN of the IAM role in the source account that allows Amazon EFS to perform replication on its behalf. Because no KMS key is specified, the destination file system is encrypted using the account's default AWS KMS service key (`aws/elasticfilesystem`). ``` aws efs --region $REGION --endpoint $ENDPOINT create-replication-configuration --source-file-system-id fs-0123456789abcdef1 --destinations Region=eu-west-2,FileSystemId=arn:aws:elasticfilesystem:eu-west-2:123456789012:file-system/fs-0a8b2be428114d97c,RoleArn=arn:aws:iam::555666777888:role/cross-account-replication ``` The AWS CLI responds as follows: ``` { "SourceFileSystemId": "fs-0123456789abcdef1", "SourceFileSystemRegion": "us-east-1", "SourceFileSystemArn": "arn:aws:elasticfilesystem:us-east-1:555666777888:file-system/fs-0123456789abcdef1", "OriginalSourceFileSystemArn": "arn:aws:elasticfilesystem:us-east-1:555666777888:file-system/fs-0123456789abcdef1", "CreationTime": "2024-10-20T20:40:13+00:00", "Destinations": [ { "Status": "ENABLING", "FileSystemId": "fs-0a8b2be428114d97c", "Region": "eu-west-2", "OwnerId": "123456789012, "RoleArn": "arn:aws:iam::555666777888:role/cross-account-replication" } ], "SourceFileSystemOwnerId": "555666777888" } ``` # Replicating EFS file systems across AWS accounts Replicating across AWS accounts You can replicate EFS file systems across AWS accounts. Replicating across accounts enhances the overall resilience and reliability of your disaster recovery (DR) strategies and can help you meet corporate compliance mandates. For example, you might be required by compliance policies to use different accounts for different environments (such as production, staging, and disaster recovery (DR)). Or you may find that replication across different AWS accounts provides stronger isolation, more granular control over permissions and access policies, and more straightforward auditing of resources. If the production account is compromised (such as by security breaches, misconfiguration, or insider threats), having the DR servers in a separate account can prevent the attacker from accessing them, reduce the blast radius of security incidents, and minimize the risk of unauthorized changes. Replicating across AWS accounts requires additional security and policy setup. Instead of using service-linked roles to perform cross-account replication, you must create an IAM role that gives Amazon EFS permission to perform replication in the destination account. You also need to create policies on the file systems that you want to share across accounts. After the IAM role and file system policies are created, you create the replication configuration. **Topics** + [ ## Create an IAM role with a custom trust policy ](#replication-create-iam-role) + [ ## Create policies on the source and destination file systems ](#replication-assign-fs-policies) + [ ## Create the replication configuration ](#xar-create-replication-configuration) ## Create an IAM role with a custom trust policy Create an IAM role with custom trust policy For Amazon EFS to perform cross-account replication on the source account’s behalf, an IAM role must be created on the source account. The role must have the `elasticfilesystem.amazonaws.com` trust policy to allow Amazon EFS to assume the role and act as the service principal. The role must contain all of the IAM permissions required to perform replication (see [Required IAM permissions](efs-replication.md#efs-replication-permissions)) and grant explicit permission to replicate to the file system in the destination account. ### Prerequisites You must create both the source file system and the destination file system in the replication configuration before you can create the IAM role for the source account. Amazon EFS cannot create the destination file system for you during replication. Additionally, you must know and provide the Amazon Resource Name (ARN) for each file system. **To create the IAM role for cross-account replication** The following are the general steps for creating an IAM role with custom trust policies for cross-account replication with Amazon EFS. For step-by-step instructions for creating an IAM role, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) in the *AWS Identity and Access Management User Guide*. 1. In the AWS Identity and Access Management console for the source account, create an IAM role that uses the following trust policy. For instructions, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) in the *AWS Identity and Access Management User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticfilesystem.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. After you create the role, assign the following permissions for the role. Replace `arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1` with the ARN of the destination file system and replace `arn:aws:elasticfilesystem:us-east-1:444455556666:file-system/fs-5678910112hijkqr1` with the ARN of the source file system. For instructions on assigning permissions to the role, see [Creating policies using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action":[ "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:CreateReplicationConfiguration", "elasticfilesystem:DescribeReplicationConfigurations", "elasticfilesystem:DeleteReplicationConfiguration", "elasticfilesystem:ReplicationWrite" ], "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:ReplicationRead", "elasticfilesystem:DescribeFileSystems" ], "Resource": "arn:aws:elasticfilesystem:us-east-1:444455556666:file-system/fs-5678910112hijkqr1" } ] } ``` ------ 1. Copy or write down the ARN for the IAM role. You need to provide the ARN when you create the replication configuration. ## Create policies on the source and destination file systems To share file systems cross-account in Amazon EFS, you must assign policies to both the destination and source file systems. The policies grant or restrict access across accounts to the file system to which they are applied. Only account owners with permission to edit file systems can assign policies to the file system in their account. In addition to granting or restricting access across accounts, the policies need to grant other permissions required for clients to work with the file systems, such as `elasticfilesystem:ClientMount`. Otherwise, the file system might be inaccessible to clients. **Important** You cannot restrict access to resources over TLS connection. If you include the `"aws:SecureTransport": "false"` condition in your statement, the NFS client connection will fail. ### Policy for the destination file system Destination file system policy To allow the source account permission to replicate to the destination file system and to delete the replication configuration from the destination account, the following policy must be created on the destination file system. Replace `arn:aws:iam::444455556666:root` with the ID of the account that owns the source file system. Replace `arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1` with the ARN of the destination file system ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSourceAccountReplicationActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::444455556666:root" }, "Action": [ "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:CreateReplicationConfiguration", "elasticfilesystem:DescribeReplicationConfigurations", "elasticfilesystem:DeleteReplicationConfiguration", "elasticfilesystem:ReplicationWrite" ], "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1" }, { "Sid": "AllowReadOnlyClientAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" }, "Action": [ "elasticfilesystem:ClientMount" ], "Resource": "arn:aws:elasticfilesystem:us-east-1:111122223333:file-system/fs-0123456789abcdef1" } ] } ``` ------ ### Policy for the source file system Source file system policy To allow the destination account permission to delete the replication configuration from the source account, you must assign the following policy to the source file system. Replace `arn:aws:iam::111122223333:root` with the ID of the account that owns the destination file system. Replace ` arn:aws:elasticfilesystem:us-east-1:444455556666:file-system/fs-5678910112hijkqr1` with the ARN of the source file system. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55", "Statement": [ { "Sid": "AllowDestinationAccountToDeleteReplication", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "elasticfilesystem:DeleteReplicationConfiguration", "Resource": "arn:aws:elasticfilesystem:us-east-1:444455556666:file-system/fs-5678910112hijkqr1" }, { "Sid": "AllowClientAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" }, "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess" ], "Resource": "arn:aws:elasticfilesystem:us-east-1:444455556666:file-system/fs-5678910112hijkqr1", "Condition": { "Bool": { "elasticfilesystem:AccessedViaMountTarget": "true" } } } ] } ``` ------ **To create the file system policy** Perform the following steps for both the destination and source file system, using the policies in the previous section. 1. Sign in to the AWS Management Console with the account that owns the file system, and then open the Amazon EFS console at [Amazon EFS Console](https://console.aws.amazon.com/efs/). 1. Open the file system: 1. In the left navigation pane, choose **File systems**. 1. In the **File systems** list, choose the file system. 1. On the **File system policy** tab, choose **Edit**. 1. Paste the policy in **Policy editor \$1Json\$1** and then choose **Save**. ## Create the replication configuration After you have created the IAM role and added the file system policies to the source and destination file systems, follow the instructions in [Configuring replication to an existing EFS file system](replicate-existing-destination.md) to create the replication configuration. # Viewing replication details Viewing replication details You can monitor the time when the last successful sync was completed in a replication configuration. Any changes to data on the source file system that occurred before this time have been successfully replicated to the destination file system. Any changes that occurred after this time might not be fully replicated. To monitor when the last replication successfully finished, you can use the Amazon EFS console, AWS CLI, API, or Amazon CloudWatch. + **In the EFS console** – The **Last synced** property in the **File system details** > **Replication** section shows the time when the last successful sync between the source and destination was completed. + **In the AWS CLI or API** – The `LastReplicatedTimestamp` property in the `Destination` object shows the time that the last successful sync was completed. To access this property, use the `describe-replication-configurations` CLI command. [DescribeReplicationConfigurations](API_DescribeReplicationConfigurations.md) is the equivalent API operation. + **In CloudWatch** – The `TimeSinceLastSync` CloudWatch metric for Amazon EFS shows the time that has elapsed since the last successful sync was completed. For more information, see [CloudWatch metrics for Amazon EFS](efs-metrics.md). A replication configuration can have one of the status values described in the following table. | Replication state | Description | | --- | --- | | `ENABLED` | The replication configuration is in a healthy state and available for use. | | `ENABLING` | Amazon EFS is in the process of creating the replication configuration. | | `DELETING` | Amazon EFS is deleting the replication configuration in response to a user-initiated delete request. | | `PAUSING` | Amazon EFS is in the process of pausing replication. | | `PAUSED` | Replication is paused due to a problem with the configuration. Additional information about the problem is provided. Some problems that cause the replication to be paused include:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/efs/latest/ug/monitoring-replication-status.html) | | `ERROR` | The replication configuration is in a failed state and is unrecoverable. You must delete the replication configuration and create a new one. Additional information about the problem is provided. For cross-account or cross-Region replication, the error may be caused because the replication configuration was deleted from the other AWS account or AWS Region. | ## Using the console 1. Open the Amazon Elastic File System console at [https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/). 1. In the left navigation pane, choose **File systems**. 1. Choose a file system from the list. 1. Choose the **Replication** tab to display the **Replication** section. In the **Replication** section, you can see the following information for the replication configuration: + **Replication state** may be **Enabling**, **Enabled**, **Deleting**, **Pausing**, **Paused**, or **Error**. Amazon EFS displays details about the cause for the **Paused** or **Error** state. + **Replication direction** shows the direction in which data is being replicated. The first file system listed is the source, and its data is being replicated *to* the second file system listed, which is the destination. + **Last synced** shows when the last successful sync occurred on the destination file system. Any changes to data on the source file system that occurred before this time were successfully replicated to the destination file system. Any changes that occurred after this time might not be fully replicated. + **Replication file systems** lists each file system in the replication configuration by its file system ID, the role it has in the replication configuration (either source or destination), the AWS Region in which it's located, and its **Permission**. A source file system has a permission of **Writable**, and a destination file system has a permission of **Read-only**. ## Using the AWS CLI To view a replication configuration, use the `describe-replication-configurations` command. You can view the replication configuration for either a specific file system, or all replication configurations for a particular AWS account in an AWS Region. The equivalent API command is [DescribeReplicationConfigurations](API_DescribeReplicationConfigurations.md). If the status of the replication configuration is `PAUSED` or `ERROR`, information about the cause of the issue and how to fix it is returned in the `StatusMessage` parameter. **Example : View the replication configuration for a specific file system** The following example describes the replication configuration for the file system `fs-0123456789abcdef1`. ``` aws efs describe-replication-configurations --file-system-id fs-0123456789abcdef1 ``` The AWS CLI responds as follows. ``` { "Replications": [ { "SourceFileSystemArn": "arn:aws:elasticfilesystem:eu-west-1:111122223333:file-system/fs-abcdef0123456789a", "CreationTime": 1641491892.0, "SourceFileSystemRegion": "eu-west-1", "OriginalSourceFileSystemArn": "arn:aws:elasticfilesystem:eu-west-1:111122223333:file-system/fs-abcdef0123456789a", "SourceFileSystemId": "fs-abcdef0123456789a", "Destinations": [ { "Status": "ENABLED", "FileSystemId": "fs-0123456789abcdef1", "Region": "us-east-1" } ] } ] } ``` **Example : View the replication configuration for all the replication configurations in an account** The following example describes the replication configuration for all the replication configurations for an account in an AWS Region the file system. ``` aws efs describe-replication-configurations ``` The AWS CLI responds as follows. ``` { "Replications": [ { "SourceFileSystemArn": "arn:aws:elasticfilesystem:eu-west-1:555555555555:file-system/fs-0123456789abcdef1", "CreationTime": 1641491892.0, "SourceFileSystemRegion": "eu-west-1", "OriginalSourceFileSystemArn": "arn:aws:elasticfilesystem:eu-west-1:555555555555:file-system/fs-0123456789abcdef1", "SourceFileSystemId": "fs-0123456789abcdef1", "Destinations": [ { "Status": "ENABLED", "FileSystemId": "fs-abcdef0123456789a", "Region": "us-east-1", "LastReplicatedTimestamp": 1641491802.375 } ] }, { "SourceFileSystemArn": "arn:aws:elasticfilesystem:eu-west-1:555555555555:file-system/fs-021345abcdef6789a", "CreationTime": 1641491822.0, "SourceFileSystemRegion": "eu-west-1", "OriginalSourceFileSystemArn": "arn:aws:elasticfilesystem:eu-west-1:555555555555:file-system/fs-021345abcdef6789a", "SourceFileSystemId": "fs-021345abcdef6789a", "Destinations": [ { "Status": "ENABLED", "FileSystemId": "fs-012abc3456789def1", "Region": "us-east-1", "LastReplicatedTimestamp": 1641491823.575 } ] } ] } ``` # Deleting replication configurations Deleting replication configurations If you need to fail over to the destination file system, delete the replication configuration of which it is a member. After you delete a replication configuration, the destination file system becomes writeable and its replication overwrite protection is re-enabled. For more information, see [Using the replica](replication-fail-over.md). Deleting a replication configuration and changing the destination file system to be writeable can take several minutes to complete. After the configuration is deleted, Amazon EFS might write some data to a `lost+found` directory in the root directory of the destination file system, using the following naming convention: ``` efs-replication-lost+found-source-file-system-id-TIMESTAMP ``` **Note** You cannot delete a file system that is part of a replication configuration. You must delete the replication configuration before deleting the file system. You can delete an existing replication configuration from either the source or the destination file system by using the Amazon EFS console, the AWS CLI, or the API. For cross-account or cross-Region replications, Amazon EFS deletes the replication configuration from both the source and destination accounts or Regions. If there's a configuration or permissions issue that prevents Amazon EFS from deleting the replication configuration from both sides, you can delete the configuration from only the local side (the account or Region from which the delete is performed). Deleting the local configuration leaves the configuration in the other account or Region unrecoverable. ## Using the console 1. Open the Amazon Elastic File System console at [https://console.aws.amazon.com/efs/](https://console.aws.amazon.com/efs/). 1. In the left navigation pane, choose **File systems**. 1. Choose either the source or the destination file system that is in the replication configuration that you want to delete. 1. Choose the **Replication** tab to display the **Replication** section. 1. Choose **Delete replication** to delete the replication configuration. When prompted, confirm your choice. If you are deleting a cross-account replication configuration, and there's a problem that prevents you from deleting the configuration from both the source and destination side, then you can choose the option to delete this file system's configuration only. **Note** Delete the file system's configuration only if Amazon EFS is unable to delete the replication configuration in both the source and destination account or Region. Deleting the local configuration leaves the configuration in the other account or Region unrecoverable. ## Using the AWS CLI To delete a replication configuration, use the `delete-replication-configuration` CLI. The equivalent API command is [DeleteReplicationConfiguration](API_DeleteReplicationConfiguration.md). The following example deletes the replication configuration for source file system `fs-0123456789abcdef1`. ``` aws efs --region us-west-2 delete-replication-configuration \ --source-file-system-id fs-0123456789abcdef1 ``` If a configuration or permissions issue prevents Amazon EFS from deleting the replication configuration from both sides, you can delete the configuration from only the local side (the account or Region from which the delete is performed). Deleting the local configuration leaves the configuration in the other account or Region unrecoverable. The equivalent API parameter is `DeletionMode` and the value is `LOCAL_CONFIGURATION_ONLY`. The following example deletes the replication configuration for source file system *fs-0123456789abcdef1* from the local side only. ``` aws efs --region us-west-2 delete-replication-configuration \ --source-file-system-id fs-0123456789abcdef1 --deletion-mode LOCAL_CONFIGURATION_ONLY ``` # Using the replica In the event of a disaster or when performing game day exercises, you can fail over to your replica file system by deleting its replication configuration. After the replication configuration is deleted, the replica becomes writeable and you can start using it in your application workflow. When the disaster is mitigated or the game day exercise is over, you can continue using the replica as the primary file system or you can perform a failback to resume operations on your original primary file system. During the failback process, you can choose to discard the changes made to your replica file system or preserve them by copying them back to your primary. + To discard the changes made to your replica during failover, re-create the original replication configuration on your primary file system, where the replica file system is the replication destination. During replication, Amazon EFS synchronizes the file systems by updating your replica file system's data to match that of your primary. + To replicate the changes made to your replica during failover, create a replication configuration on the replica file system, where the primary file system is the replication destination. During replication, Amazon EFS identifies and transfers the differences from your replica file system back to the primary file system. Once the replication is complete, you can resume replicating the primary file system by re-creating the original replication configuration or creating a new configuration. The amount of time it takes for Amazon EFS to complete the replication process varies and depends on factors such as the size of the file system and the number of files in it. For more information, see [Replication performance](efs-replication.md#efs-replication-performance).