IAM

Progress checklist

• Base exports confirmed (AWS_REGION, ACCOUNT_ID, BUCKET_ARN)
• Lambda execution role s3files-compute-role-lambda created
• AmazonS3FilesClientFullAccess attached
• AWSLambdaBasicExecutionRole attached
• Inline S3 read policy attached

Overview

S3FILES S3FILES
Amazon S3 Files — a service that exposes an S3 bucket as a shared NFS file system. Supports EC2, EKS, ECS (Fargate), and Lambda. Uses the CLI namespace `aws s3files` and mount type `-t s3files`. Read APIs are `list-*` and `get-*` (for example `list-file-systems`, `get-file-system`), not `describe-*`. requires exactly two IAM IAM
Identity and Access Management — the AWS service that controls permissions for all resources. S3 Files requires two IAM roles: one for the file system and one for the compute resource. roles:

Role	Who assumes it	Purpose
File system role	elasticfilesystem.amazonaws.com	S3 Files reads/writes the bucket and manages EventBridge sync rules
Compute role	Lambda execution role	Lambda mounts the file system and reads objects directly from S3

The file system role was created in File System. This page creates the Lambda execution role.

Caution

The file system role principal is elasticfilesystem.amazonaws.com — not s3.amazonaws.com. This is intentional; S3 Files is built on EFS infrastructure.

1. Confirm base exports. Required

   Re-run these in your current shell so all required variables are set:

   export AWS_REGION=ap-southeast-6
   export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
   export BUCKET=my-s3-files-bucket        # ← replace with your real bucket name
   export BUCKET_ARN=arn:aws:s3:::${BUCKET}
   echo "Region: $AWS_REGION  Account: $ACCOUNT_ID  Bucket ARN: $BUCKET_ARN"

2. Create the Lambda execution role. Required

   Role name s3files-compute-role-lambda (execution role for the function).

   compute-trust-lambda.json

   cat > /tmp/compute-trust-lambda.json <<EOF
   {
     "Version": "2012-10-17",
     "Statement": [{
       "Effect": "Allow",
       "Principal": { "Service": "lambda.amazonaws.com" },
       "Action": "sts:AssumeRole"
     }]
   }
   EOF
   aws iam create-role \
     --role-name s3files-compute-role-lambda \
     --assume-role-policy-document file:///tmp/compute-trust-lambda.json

3. Attach managed policies. Required

   Attach AmazonS3FilesClientFullAccess to allow mounting the file system:

   aws iam attach-role-policy \
     --role-name s3files-compute-role-lambda \
     --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess

   Attach AWSLambdaBasicExecutionRole to allow writing to CloudWatch Logs:

   aws iam attach-role-policy \
     --role-name s3files-compute-role-lambda \
     --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

4. Attach an inline S3 read policy. Required

   compute-s3-read-lambda.json

   cat > /tmp/compute-s3-read-lambda.json <<EOF
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "S3ObjectReadAccess",
         "Effect": "Allow",
         "Action": ["s3:GetObject", "s3:GetObjectVersion"],
         "Resource": "${BUCKET_ARN}/*"
       },
       {
         "Sid": "S3BucketListAccess",
         "Effect": "Allow",
         "Action": "s3:ListBucket",
         "Resource": "${BUCKET_ARN}"
       }
     ]
   }
   EOF
   aws iam put-role-policy \
     --role-name s3files-compute-role-lambda \
     --policy-name S3FilesComputeS3ReadPolicy \
     --policy-document file:///tmp/compute-s3-read-lambda.json

Next step

Continue to Security Groups to open port 2049 between the Lambda function and mount targets.