Mounting Amazon EFS with EC2 Instances on Rocky Linux 9: A Complete Guide

Table of contents

• Introduction
• Install the EFS Utility on Rocky Linux 9
• Configure the Security Group
• Mount the EFS on Your EC2 Instance
• Configure Automatic EFS Mounting
• Unmount EFS
• Conclusion

Introduction

Amazon Elastic File System (EFS) is a fully-managed file storage service designed to be easily scalable and accessible to multiple EC2 instances simultaneously, making it an ideal choice for applications requiring shared access to file data. This guide provides detailed instructions on installing and configuring Amazon EFS on EC2 instances running Rocky Linux 9, focusing on security enhancements and ensuring compatibility with SELinux policies for Nginx servers.

Install the EFS Utility on Rocky Linux 9

To get started with EFS on your EC2 instance with Rocky Linux 9, first, install the necessary EFS utilities. These utilities facilitate the mounting process and enable encryption for data in transit. Execute the following commands:

$ sudo yum -y install git rpm-build make
$ git clone https://github.com/aws/efs-utils
$ cd efs-utils
$ make rpm
$ sudo yum -y install build/amazon-efs-utils*rpm

Configure the Security Group

Proper security group configuration is crucial for the secure operation of your EFS. Ensure the security group linked to both your EC2 instances and EFS allows inbound connections on port 2049, essential for NFS communication:

• Go to the EC2 dashboard within AWS Management Console.
• Access “Security Groups” from the “Network & Security” menu.
• Select the security group tied to your EFS setup.
• Configure an inbound rule to permit TCP traffic on port 2049.

Mount the EFS on Your EC2 Instance

After setting up the EFS utility and configuring your security groups, proceed to mount the EFS file system to your EC2 instance:

mkdir /mnt/efs
sudo mount -t efs -o tls fs-abcd123456789ef0:/ /mnt/efs
cd /mnt/efs 
sudo chmod go+rw .

Configure Automatic EFS Mounting

Automatic mounting ensures your EFS filesystem is always available after a reboot. Adding the filesystem to the /etc/fstab file with the correct SELinux context is vital for compliance with security policies, particularly when serving files through Nginx:

Add the following line to /etc/fstab for basic automatic mounting:

fs-abcd123456789ef0:/ /var/data efs _netdev,noresvport,tls 0 0

For environments with SELinux enabled, specifying the SELinux context is necessary to allow Nginx to serve files from the mounted EFS volume. The context=“system_u:object_r:httpd_sys_content_t:s0” option in the mount command tells SELinux to treat the mounted EFS files as web content, which is crucial for Nginx servers:

fs-abcd123456789ef0:/ /var/data efs _netdev,noresvport,tls,context="system_u:object_r:httpd_sys_content_t:s0" 0 0

This step is essential because, without the correct SELinux context, Nginx would be blocked from accessing the files, even if file permissions were set correctly. It ensures that security policies are adhered to while maintaining the necessary access for web services.

Unmount EFS

To unmount your EFS file system, use:

sudo umount /mnt/efs

Conclusion

Setting up Amazon EFS on EC2 instances running Rocky Linux 9 provides a scalable and secure file storage solution, perfectly suited for applications that demand shared access to files. By following this guide, you’ll ensure that your EFS integration is secure, compliant with SELinux policies, and optimized for serving content via Nginx.