Skip to content
S3 Files Workloads

Security Groups

Progress checklist

Overview

Section titled “Overview”

S3FILES
Amazon S3 Files — a service that exposes an S3 bucket as a shared NFS file system. Supports EC2, EKS, ECS (Fargate), and Lambda. Uses the CLI namespace `aws s3files` and mount type `-t s3files`. Read APIs are `list-*` and `get-*` (for example `list-file-systems`, `get-file-system`), not `describe-*`. uses NFS
Network File System — the protocol used by S3 Files to expose S3 data as a mountable file system. Uses NFS v4.1/4.2 over port 2049 TCP. over port 2049 TCP. This page creates the Lambda compute security group s3files-lambda-compute-sg, stores its ID in COMPUTE_SG_ID, and adds the paired rules with MT_SG_ID from Mount Targets. The Access Point page looks up that same group by name — it does not invent a new SG variable.

  1. Confirm base exports. Required

    Re-run these in your current shell. Replace VPC_ID with your VPC; MT_SG_ID is looked up by name from the group created in Mount Targets.

    Terminal window
    export AWS_REGION=ap-southeast-6
    export VPC_ID=vpc-0123456789abcdef0   # replace with your VPC ID
    

    export MT_SG_ID=$(aws ec2 describe-security-groups \
      --filters "Name=group-name,Values=s3files-mount-target-sg" \
                "Name=vpc-id,Values=$VPC_ID" \
      --region $AWS_REGION \
      --query 'SecurityGroups[0].GroupId' \
      --output text)
    echo "MT_SG_ID=$MT_SG_ID"

    If MT_SG_ID is empty, complete Mount Targets first.

  2. Create the compute security group and capture its ID. Required

    Fixed name s3files-lambda-compute-sg so the rest of the Lambda walkthrough can resolve COMPUTE_SG_ID without placeholders.

    Terminal window
    export COMPUTE_SG_ID=$(aws ec2 create-security-group \
      --group-name s3files-lambda-compute-sg \
      --description "S3 Files Lambda walkthrough - compute (NFS to mount targets)" \
      --vpc-id $VPC_ID \
      --region $AWS_REGION \
      --query GroupId \
      --output text)
    echo "COMPUTE_SG_ID=$COMPUTE_SG_ID"

  3. Allow outbound NFS from the compute security group. Required

    Terminal window
    aws ec2 authorize-security-group-egress \
      --group-id $COMPUTE_SG_ID \
      --protocol tcp \
      --port 2049 \
      --source-group $MT_SG_ID \
      --region $AWS_REGION

  4. Allow inbound NFS on the mount target security group. Required

    Terminal window
    aws ec2 authorize-security-group-ingress \
      --group-id $MT_SG_ID \
      --protocol tcp \
      --port 2049 \
      --source-group $COMPUTE_SG_ID \
      --region $AWS_REGION

  5. Verify the rules.

    Outbound on compute SG:

    Terminal window
    aws ec2 describe-security-group-rules \
      --filters "Name=group-id,Values=$COMPUTE_SG_ID" \
      --query 'SecurityGroupRules[?IsEgress==`true` && ToPort==`2049`].{Port:ToPort,Dest:ReferencedGroupInfo.GroupId}' \
      --output table \
      --region $AWS_REGION

    Inbound on mount target SG:

    Terminal window
    aws ec2 describe-security-group-rules \
      --filters "Name=group-id,Values=$MT_SG_ID" \
      --query 'SecurityGroupRules[?IsEgress==`false` && ToPort==`2049`].{Port:ToPort,Source:ReferencedGroupInfo.GroupId}' \
      --output table \
      --region $AWS_REGION

    Both queries should return one row each showing port 2049 and the correct SG reference.

Setup complete

Section titled “Setup complete”

You now have a fully configured S3 Files environment for Lambda:

  • S3 bucket with versioning and encryption
  • S3 Files file system linked to the bucket
  • Mount targets in each Availability Zone
  • Two IAM roles (file system + Lambda execution)
  • Security group rules on port 2049

Continue to Access Point to create the S3 Files access point required for Lambda.