08. Using Elastic File System (EFS) with N2WS

Now you can backup and recover Amazon Elastic File System (EFS) with N2WS. In this guide, we walk you through how to set it up.

Configuring EFS on N2WS allows you to determine backup:

  • Schedule and frequency
  • Retention
  • Lifecycle policy, including moving backups to cold storage, defining expiration options, and deleting them at end of life.

With AWS Backup, you pay only for the amount of backup storage you use and the amount of backup data you restore in the month. There is no minimum fee and there are no set-up charges.

Important: EFS Backup and Restore is performed by AWS Backup Service.

For more information regarding the AWS Backup Service, refer to https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html

Notes: Before continuing, consider the following:

Currently, AWS Backup service doesn’t support DR for EFS resources.

Not all regions are available for EFS backup on the AWS Backup service. Currently, the available regions are: US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfort), and Asia Pacific (Sydney).

Backup transitions and expirations are performed automatically according to the configured lifecycle.

A default or custom IAM role must exist in AWS to create and manage backups on behalf of N2WS. The IAM identity contains the backup and restore policies allowing operations on EFS. If a default was not automatically created, or you prefer to use a custom IAM role, see section 8.2.

Configuring EFS

  1. In the AWS Console, create the EFS in one of the available regions listed in section 8.

In N2WS, in the Backup Targets of a Policy, Add Elastic File Systems.

Configure the backup and restore options:

Complete the EFS Configuration:

Backup Vault – A logical backup container for your recovery points (your EFS snapshots) that allows you to organize your backups. A Default value is automatically created by AWS.

IAM Role – An IAM identity that has specific permissions for EFS. The following AWS backup permissions should be attached to your IAM role:

AWSBackupServiceRolePolicyForBackup – Create backups on your behalf across AWS services.

AWSBackupServiceRolePolicyForRestores – Perform restores on your behalf across AWS services.

If a default IAM role was not automatically created by AWS, or you require a custom IAM role, see section 8.2. Selecting the preferred IAM role is only required during the EFS policy configuration.

Transition to cold – Select the transition lifecycle of a recovery point (your EFS snapshots). The default is Policy Generations.

Expire – When does a protected resource expire. The default is Never.

Note: Moving a backup to the Freezer will set Expiration Date to Never.

Creating IAM Roles in AWS

A default or custom IAM role is necessary for AWS to perform EFS operations on behalf of N2WS.

To create a default IAM Role:

  1. Go to the AWS Backup Service:


Click the Create an on-demand backup button.

  1. For Resource type, select EBS.
  2. For Volume ID, select any EBS volume to backup.
  3. Select Default IAM Role.
  4. Click the Create on-demand backup button. Ignore the error provided by AWS.

Verify that the following role was created on AWS IAM Service:


To create a custom IAM Role:

  1. Go to AWS IAM Service:


Click the Create role button.

Select AWS Backup and click Next: Permissions.

Search for BackupService.

Select the following AWS managed policies:



Click Next: Tags and then click Next: Review.

Enter a Role name and click Create role.


Backup Options for EFS Instances

EFS can be configured by creating the cpm backup tag with the following values. In this case, N2WS will override the EFS configuration with the tag values:

vaultVault. Example: Default
role_arnArn of role. Example: arn:aws:iam::040885004714:role/service-role/AWSBackupDefaultServiceRole
cold_optLifecycle transition:

N – Never

D – Days

W – Weeks

M – Months

Y – Years

cold_opt_valInteger for D, W, M, Y only
exp_optWhen does resource expire:

P – Policy Generations

N – Never

D – Days

W- Weeks

M – Months

Y – Years

exp_opt_valInteger for D, W, M, Y only


cpm backup my_policy+vault=Default+exp_opt=D+exp_opt_val=1

CPM will backup EFS to the default vault, and set its expiration date to 1 day.

Note: The max length for the cpm backup value is limited to 256 characters.

Share this post →

Share on twitter
Share on linkedin
Share on facebook
Share on email