# Automatically installing or updating Amazon EFS client using AWS Systems Manager
<a name="manage-efs-utils-with-aws-sys-manager"></a>

You can use AWS Systems Manager to simplify the management of the Amazon EFS client (`amazon-efs-utils`). AWS Systems Manager is an AWS service that you can use to view and control your infrastructure on AWS. With AWS Systems Manager you can automate the tasks required to install or update the `amazon-efs-utils` package on your Amazon EC2 (EC2) instances. The Systems Manager capabilities like Distributor and State Manager enable you to automate the following processes:
+ Maintaining version control over the Amazon EFS client.
+ Centrally storing and systematically distributing the Amazon EFS client to your Amazon EC2 instances.
+ Automate the process of keeping your EC2 instances in a defined state. 

For more information, see the [https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html).

## What the Amazon EFS client does during installation
<a name="what-efs-utils-does"></a>

You use the Amazon EFS client to automate monitoring Amazon CloudWatch logs for file system mount status and upgrade `stunnel` to the latest version for selected Linux distributions. When you install the Amazon EFS client on your Amazon EC2 instances using Systems Manager, it takes the following actions:
+ Installs the `botocore` package using the same steps described in [Installing and upgrading `botocore`](install-botocore.md). The Amazon EFS client uses `botocore` to monitor the EFS file system mount status.
+ Enables the monitoring of EFS file system mount status in CloudWatch logs by updating `efs-utils.conf`. For more information, see [Monitoring mount attempt successes and failures](how-to-monitor-mount-status.md).
+ For EC2 instances running `RHEL7` or `CentOS7`, the Amazon EFS client automatically upgrades `stunnel` as described in [Upgrading `stunnel`](upgrading-stunnel.md). Upgrading `stunnel` is required in order to successfully mount an EFS file system using TLS, and the `stunnel` version shipped with `RHEL7` and `CentOS7` does not support the Amazon EFS client (`amazon-efs-utils`).

## Systems Manager supported operating systems
<a name="sys-mgr-support-matrix"></a>

Your EC2 instances must be running one of the following operating systems in order to be used with AWS Systems Manager to automatically update or install the Amazon EFS client.


| Platform | Platform version | Architecture | 
| --- | --- | --- | 
| Amazon Linux 2023 (AL2023) | AL2023 | x86\$164, arm64 (Graviton2 or later processors) | 
| Amazon Linux 2 (AL2) |  2.0  | x86\$164, arm64 (Amazon Linux 2, A1 instance types) | 
|  Amazon Linux 1 (AL1)  Amazon Linux 1 (AL1) AMI reached its end-of-life on December 31, 2023 and is not supported for `amazon-efs-utils` packages released in April 2024 and later (version 2.0 and later). We recommend that you upgrade applications to Amazon Linux 2023 (AL2023), which includes long-term support until 2028.   |  2017.09, 2018.03  | x86\$164 | 
|  CentOS  |  7, 8  | x86\$164 | 
|  Red Hat Enterprise Linux (RHEL)  |  8, 9  | x86\$164, arm64 | 
| SUSE Linux Enterprise Server (SLES) | 12, 15 | x86\$164 | 
|  Ubuntu Server  |  16.04, 18.04, 20.04  | x86\$164, arm64 (Ubuntu Server 16 and later, A1 instance types) | 

# Configuring AWS Systems Manager to install the EFS client
<a name="setting-up-aws-sys-mgr"></a>

There are two one-time configurations required to set up Systems Manager to automatically install or update the `amazon-efs-utils` package.

1. Configure an AWS Identity and Access Management (IAM) instance profile with the required permissions.

1. Configure an Association (including the schedule) used for installation or updates by the State Manager.

## Step 1: Configure an IAM instance profile with the required permissions
<a name="configure-sys-mgr-iam-instance-profile"></a>

By default, AWS Systems Manager doesn't have permission to manage your Amazon EFS clients and install or update the amazon-efs-utils package. You must grant access to Systems Manager by using an AWS Identity and Access Management (IAM) instance profile. An instance profile is a container that passes IAM role information to an Amazon EC2 (EC2) instance at launch. 

Use the `AmazonElasticFileSystemsUtils` AWS managed permission policy to assign the appropriate permissions to roles. You can create a new role for your instance profile or add the `AmazonElasticFileSystemsUtils` permission policy to an existing role. You must then use this instance profile to launch your EC2 instances. For more information, see [Configure instance permissions required for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html).

## Step 2: Configure an association used by State Manager
<a name="config-sys-mgr-association"></a>

The `amazon-efs-utils` package is included with Distributor and is ready for you to deploy to managed EC2 instances. To view the latest version of `amazon-efs-utils` that is available for installation, you can use the AWS Systems Manager console or your preferred AWS command line tool. To access Distributor, open the [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/) and choose **Distributor** in the left navigation pane. Locate **AmazonEFSUtils** in the **Owned by Amazon** section. Choose **AmazonEFSUtils** to see the package details. For more information, see [View packages](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor-view-packages.html).

Using State Manager, you can install or update the `amazon-efs-utils` package on your managed EC2 instances immediately or on a schedule. Additionally, you can ensure that `amazon-efs-utils` is automatically installed on new EC2 instances. For more information about installation or updating packages using Distributor and State Manager, see [Working with Distributor](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor-working-with.html).

To automatically install or update the amazon-efs-utils package on instances using the Systems Manager console, see [Scheduling a package installation or update (console)](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor-working-with-packages-deploy.html#distributor-deploy-sm-pkg-console). This will prompt you to create an association for State Manager, which defines the state you want to apply to a set of instances. Use the following inputs when you create your association:
+ For **Parameters** choose **Action** > **Install** and **Installation Type** > **In-place update**.
+ For **Targets** the recommended setting is **Choose all instances** to register all new and existing EC2 instances as targets to automatically install or update **AmazonEFSUtils**. Alternatively, you can specify instance tags, select instances manually, or choose a resource group to apply the association to a subset of instances. If you specify instance tags, you must launch your EC2 instances with the tags to allows AWS Systems Manager to automatically install or update the Amazon EFS client.
+ For **Specify schedule** the recommended setting for **AmazonEFSUtils** is every 30 days. You can use controls to create a cron or rate schedule for the association.

To use AWS Systems Manager to mount EFS file systems to multiple EC2 instances, see [Mounting EFS to multiple EC2 instances](mount-multiple-ec2-instances.md).