# Creating and managing S3 Files resources
Creating and managing resources

This page describes how to create, configure, and manage S3 Files resources. To manage your resources using the AWS CLI, see [S3 Files API reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_S3_Files.html).

**File systems**  
A shared file system linked to your S3 bucket. It stores a fraction of your actively used S3 data as files and directories so that your applications and users can benefit from low-latency performance. You can access your data using standard file system operations, including reading, writing, and locking files.  
+ [Creating file systems](s3-files-file-systems-creating.md)
+ [Deleting file systems](s3-files-file-systems-deleting.md)

**Mount targets**  
A mount target provides network access to your file system within a single Availability Zone in your VPC. You need at least one mount target to access your file system from compute resources, and you can create a maximum of one mount target per Availability Zone. We recommend creating one mount target in each Availability Zone you operate in so that your compute resources always have a local network path to the file system, improving both availability and latency. When you create a file system using the AWS Management Console, S3 Files automatically creates one mount target in every Availability Zone in your default VPC.  
+ [Creating mount targets](s3-files-mount-targets-creating.md)
+ [Managing mount targets](s3-files-mount-targets-managing.md)
+ [Deleting mount targets](s3-files-mount-targets-deleting.md)

**File system policies**  
A file system policy is an optional IAM resource policy that you can create for your S3 file system to control NFS client access to the file system.  
+ [Creating file system policies](s3-files-file-system-policies-creating.md)
+ [Deleting file system policies](s3-files-file-system-policies-deleting.md)

**Access points**  
Access points are application-specific entry points to a file system that simplify managing data access at scale for shared datasets. You can use access points to enforce user identities and permissions for all file system requests that are made through the access point. Additionally, access points can restrict clients to only access data within a specified root directory and its subdirectories. When you create a file system using the AWS Management Console, S3 Files automatically creates one access point for the file system.  
A file system can have a maximum of 10,000 access points unless you request an increase. For more information, see [Unsupported features, limits, and quotas](s3-files-quotas.md).  
+ [Creating access points for an S3 file system](s3-files-access-points-creating.md)
+ [Deleting access points for an S3 file system](s3-files-access-points-deleting.md)

**Tags**  
Tags are key-value pairs that you define and associate with your S3 Files resources to help organize, identify, and manage them.  
+ [Tagging S3 Files resources](s3-files-tagging.md)

**Topics**
+ [

# Creating file systems
](s3-files-file-systems-creating.md)
+ [

# Deleting file systems
](s3-files-file-systems-deleting.md)
+ [

# Creating mount targets
](s3-files-mount-targets-creating.md)
+ [

# Managing mount targets
](s3-files-mount-targets-managing.md)
+ [

# Deleting mount targets
](s3-files-mount-targets-deleting.md)
+ [

# Creating file system policies
](s3-files-file-system-policies-creating.md)
+ [

# Deleting file system policies
](s3-files-file-system-policies-deleting.md)
+ [

# Creating access points for an S3 file system
](s3-files-access-points-creating.md)
+ [

# Deleting access points for an S3 file system
](s3-files-access-points-deleting.md)
+ [

# Tagging S3 Files resources
](s3-files-tagging.md)

# Creating file systems
Create file systems

You can create file systems by using the AWS Console, the AWS Command Line Interface (AWS CLI), or the Amazon S3 API for any existing or new S3 general purpose bucket. For information on creating a new bucket, see [Creating a general purpose bucket](create-bucket-overview.md).

## Required IAM permissions for creating file systems


When you create an S3 file system, you must specify an IAM role that S3 Files assumes to read from and write to your S3 bucket. This role allows S3 Files to synchronize changes between your file system and your S3 bucket. When you create a file system using the AWS Console, S3 Files automatically creates this IAM role with the required permissions. If you are using the AWS CLI or S3 API, see [IAM role for accessing your bucket from the file system](s3-files-prereq-policies.md#s3-files-prereq-iam-creation-role).

For more information about managing permissions for API operations, see [How S3 Files works with IAM](s3-files-security-iam.md).

## Status of a file system


A file system can have one of the status values described in the following table that you can get using the `get-file-system` command.


| File system state | Description | 
| --- | --- | 
| AVAILABLE | The file system is in a healthy state, and is reachable and available for use. | 
| CREATING | S3 Files is in the process of creating the new file system. | 
| DELETING | S3 Files is deleting the file system in response to a user-initiated delete request. | 
| DELETED | S3 Files has deleted the file system in response to a user-initiated delete request. | 
| ERROR | The file system is in a failed state and is unrecoverable. To access the file system data, restore a backup of this file system to a new file system. Check the StatusMessage field for information about the error. | 

**Note**  
S3 Files returns an error when you attempt to create a file system scoped to a prefix with a large number of objects. This error alerts you that large recursive rename or move operations may impact file system performance and increase S3 request costs, as every file requires separate copy and delete requests to your S3 bucket. If you still want to create a file system scoped to that prefix, you can add the `--AcceptBucketWarning` parameter.

## Using the S3 console


This section explains how to use the Amazon S3 console to create a file system for S3 Files.
+ Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
+ In the navigation bar at the top of the page, verify you are in your desired AWS Region.
+ In the left navigation pane, choose **File systems**.
+ Select **Create file system**.
+ On the create page, choose the S3 bucket or prefix to create your file system from. You can enter the S3 URI directly (for example, `s3://bucket-name/prefix`) or choose **Browse S3** to navigate to and select your bucket or prefix.
+ Select a VPC for your file system. S3 Files selects your default VPC automatically. This is the VPC where your compute resources connect to your file system. To use a different VPC, choose one from the dropdown.
+ Select **Create** and wait for the status of your file system to become `Available`.

**Default settings on AWS Management Console**

S3 Files will create your file system with the following configuration:
+ **Encryption** — S3 Files sets the encryption configuration from the source S3 bucket and applies it to data at rest in your file system.
+ **IAM role** — S3 Files creates a new IAM role that it assumes to manage the data synchronization between your file system and bucket.
+ **Mount targets** — S3 Files automatically creates one mount target in every Availability Zone in the VPC you choose.
+ **Access point** — S3 Files creates one access point for the file system.

## Using the AWS CLI


When you're using the AWS CLI, you create these resources in order. First, you create a file system. Then, you can create mount targets and any additional optional tags for the file system by using corresponding AWS CLI commands.

The following `create-file-system` example command shows how you can use the AWS CLI to create a file system for S3 Files.

```
aws s3files create-file-system --region aws-region --bucket s3-bucket-arn --client-token idempotency-token --role-arn iam-role
```

Replace the following with your desired values:
+ *aws-region* : The AWS Region of your bucket. For example, `us-east-1`.
+ *bucket-arn* : The ARN of your S3 bucket.
+ *idempotency-token* : An idempotency token. This is optional.
+ *iam-role* : ARN of the IAM role that S3 Files assumes to read from and write to your S3 bucket. Make sure you have added the right permissions to this IAM role. For more information, see [IAM role for accessing your bucket from the file system](s3-files-prereq-policies.md#s3-files-prereq-iam-creation-role).

After successfully creating the file system, S3 Files returns the file system description as JSON.

# Deleting file systems
Delete file systems

When you delete a file system, the file system, its data, and its configuration are permanently removed. Make sure no applications are actively using the file system before deletion to avoid service disruption. Before deletion, you must delete all mount targets and access points associated with the file system first. For more information, see [Deleting mount targets](s3-files-mount-targets-deleting.md) and [Deleting access points for an S3 file system](s3-files-access-points-deleting.md).

When you delete a file system, S3 Files checks whether all changes in your file system have been synchronized with your linked S3 bucket. If there are changes that have not yet been synchronized, S3 Files returns an error and the deletion does not proceed. This ensures that all your data is safely stored in your S3 bucket before the file system is deleted. If you want to proceed with deletion and accept that any unsynchronized changes will be lost, you can retry the delete request with the 'force delete' option. In the AWS CLI, add the `--ForceDelete` flag to your delete API call. On the AWS Console, choose **Force** button in the error message that appears when you delete a file system while unsynced changes are present.

## Using the S3 console


This section explains how to use the Amazon S3 console to delete a file system for S3 Files.
+ Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
+ In the navigation bar at the top of the page, verify you are in the AWS Region of the file system that you want to delete.
+ In the left navigation pane, choose **General purpose buckets**.
+ Choose a general purpose bucket your file system is attached to.
+ Select the **File systems** tab and select the file system you wish to delete.
+ Choose **Delete**.
+ In the confirmation window, type `confirm`.

## Using the AWS CLI


The following `delete-file-system` example command shows how you can use the AWS CLI to delete a file system for S3 Files.

```
aws s3files delete-file-system --file-system-id file-system-id
```

# Creating mount targets
Create mount targets

You need a mount target to access your file system from compute resources and you can create a maximum of one mount target per Availability Zone. We recommend creating one mount target per Availability Zone you operate in. When you create a file system using the S3 console, S3 Files automatically creates one mount target in every Availability Zone in your default VPC.

You can create mount targets for the file system in one VPC at a time. If you want to modify the VPC for your mount targets, you need to first delete all the existing mount targets for the file system and then create a mount target in a new VPC. If the VPC has multiple subnets in an Availability Zone, you can create a mount target in only one of those subnets. All EC2 instances in the Availability Zone can share the single mount target.

## Using the S3 console


This section explains how to use the Amazon S3 console to create a mount target for S3 Files.

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the AWS Region of the file system for which you want to create a mount target.

1. In the left navigation pane, choose **General purpose buckets**.

1. Choose a general purpose bucket your file system is attached to.

1. Select the **File systems** tab and select your desired file system.

1. Select the **Mount targets** tab and select **Create mount targets**.

1. On the Create mount target page, your default VPC will automatically be selected. Choose the Availability Zone and Subnet ID. The VPC, Availability Zone, and Subnet ID cannot be edited after mount target creation.
**Note**  
The IP address type must match the IP type of the subnet. Additionally, the IP address type overrides the IP addressing attribute of your subnet. For example, if the IP address type is IPv4-only and the IPv6 addressing attribute is enabled for your subnet, network interfaces created in the subnet receive an IPv4 address from the range of the subnet. For more information, see [Modify the IP addressing attributes of your subnet](https://docs.aws.amazon.com/vpc/latest/userguide/modify-subnets.html).

1. If you know the IP address where you want to place the mount target, then enter it in the IP address box that matches the IP address type. If you don't specify a value, S3 Files selects an unused IP address from the specified subnet.

1. Choose your security groups to associate with the mount target. See [Security groups](s3-files-prereq-policies.md#s3-files-prereq-security-groups) in the prerequisites to understand the security group configurations required to start using your file system.

1. Choose **Create mount target**.

## Using the AWS CLI


The following `create-mount-target` example command shows how you can use the AWS CLI to create a mount target for S3 Files.

```
aws s3files create-mount-target --region aws-region --file-system-id file-system-id --subnet-id subnet-id
```

Mount targets can take up to \$15 minutes to create.

# Managing mount targets
Manage mount targets

You can add or remove security groups associated with a mount target. Security groups define inbound and outbound access. When you change security groups associated with a mount target, make sure that you authorize necessary inbound and outbound access. Doing so enables your compute resource to communicate with the file system. See [Security groups](s3-files-prereq-policies.md#s3-files-prereq-security-groups) in the prerequisites to understand the security group configurations required to start using your file system.

## Using the S3 console


This section explains how to use the Amazon S3 console to add or remove security groups for a mount target in S3 Files.

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the desired AWS Region where your mount target exists.

1. In the left navigation pane, choose **General purpose buckets**.

1. Choose a general purpose bucket your file system is attached to.

1. Select the **File systems** tab and select your desired file system.

1. Select the **Mount targets** tab and select the mount target that you want to edit.

1. Choose **Edit**. You will see details of your mount target.

1. Add or remove security groups from the security group drop down.

1. Choose **Save**.

## Using the AWS CLI


The following `update-mount-target` example command shows how you can use the AWS CLI to add or remove security groups for a mount target in S3 Files.

```
aws s3files update-mount-target --region aws-region --mount-target-id mount-target-id --security-groups security-group-ids-separated-by-space
```

# Deleting mount targets
Delete mount targets

When you delete a mount target, the operation forcibly breaks any mounts of the file system, which might disrupt compute resources and applications using those mounts. To avoid application disruption, stop applications and unmount the file system before deleting the mount target.

You can delete mount targets for a file system by using the AWS Management Console, AWS CLI, or programmatically by using the AWS SDKs.

## Using the S3 console


This section explains how to use the Amazon S3 console to delete a mount target for S3 Files.

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the AWS Region of the mount target that you want to delete.

1. In the left navigation pane, choose **General purpose buckets**.

1. Choose a general purpose bucket your file system is attached to.

1. Select the **File systems** tab and select your desired file system.

1. Select the **Mount targets** tab and select the mount target you wish to delete.

1. Choose **Delete**.

1. In the confirmation window, type **confirm** and choose **Delete**.

## Using the AWS CLI


The following `delete-mount-target` example command shows how you can use the AWS CLI to delete a mount target for S3 Files.

```
aws s3files delete-mount-target --region aws-region --mount-target-id mount-target-id
```

# Creating file system policies
Creating file system policies

You can use file system policies to grant or deny permissions for NFS clients to perform operations such as mounting, writing, and root access on your file systems. A file system either has an empty (default) file system policy or exactly one explicit policy. You can update your file system policy at any time after file system creation using the AWS Management Console, AWS CLI, or AWS SDK.

You can update a file system policy by using the Amazon S3 console, the AWS CLI, programmatically with AWS SDKs, or the S3 Files API directly. These policy changes can take several minutes to take effect. S3 file system policies have a 20,000 character limit. For more information about using an S3 file system policy, supported actions, supported condition keys, and examples, see [How S3 Files works with IAM](s3-files-security-iam.md).

## Using the S3 console


This section explains how to use the Amazon S3 console to create a file system policy for S3 Files.

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the AWS Region where your file system exists.

1. In the left navigation pane, choose **File systems**.

1. Choose your desired file system.

1. Select the **Permissions** tab and select **Edit**.

1. You can use the Policy editor to add your own file system policy.

1. After you complete editing the policy, choose **Save**.

## Using the AWS CLI


The following `put-file-system-policy` example command shows how you can use the AWS CLI to create a file system policy for S3 Files. The following file system policy grants only `ClientMount` (read-only) permissions to the `ReadOnly` IAM role. Replace the example AWS account ID *111122223333* with your AWS account ID.

```
aws s3files put-file-system-policy --file-system-id file-system-id --policy '{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/ReadOnly"
            },
            "Action": [
                "s3files:ClientMount"
            ]
        }
    ]
}'
```

# Deleting file system policies
Deleting file system policies

You can delete a file system policy using the Amazon S3 console and the AWS CLI.

## Using the S3 console


This section explains how to use the Amazon S3 console to delete a file system policy for S3 Files.

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the AWS Region where your file system exists.

1. In the left navigation pane, choose **File systems**.

1. Choose your file system.

1. Select the **Permissions** tab and select **Delete**.

1. In the confirmation window, type **confirm** and choose **Delete**.

## Using the AWS CLI


The following `delete-file-system-policy` example command shows how you can use the AWS CLI to delete a file system policy for S3 Files.

```
aws s3files delete-file-system-policy --file-system-id file-system-id
```

# Creating access points for an S3 file system
Create access points

Access points are application-specific entry points to a file system that simplify managing data access at scale for shared datasets. You can use access points to enforce user identities and permissions for all file system requests that are made through the access point. Additionally, access points can restrict clients to only access data within a specified root directory and its subdirectories. When you create a file system using the AWS Management Console, S3 Files automatically creates one access point for the file system.

A file system can have a maximum of 10,000 access points unless you request an increase. For more information, see [Unsupported features, limits, and quotas](s3-files-quotas.md). You can create access points using the S3 console, AWS CLI, or AWS SDK.

Access points for an S3 file system cannot be edited after creation. If you want to make updates, you have to delete the existing access point and create a new one.

## Using the S3 console


This section explains how to use the Amazon S3 console to create an access point for an S3 file system.

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the AWS Region of the file system for which you want to create an access point.

1. In the left navigation pane, choose **File systems**.

1. Choose your desired file system.

1. Select the **Access points** tab and select **Create access point**.

1. On the Create page, enter a **Name** for the access point.

1. (Optional) Specify a root directory path for the access point. Clients using this access point will be limited to this directory and its subdirectories. By default, S3 Files assumes the root directory for the access point to be the root directory of the file system.

1. (Optional) In the **POSIX user** panel, you can specify the full POSIX identity to use to enforce user and group information for all file operations by clients that are using the access point.
   + **User ID** – Enter a numeric POSIX user ID for the user.
   + **Group ID** – Enter a numeric POSIX group ID for the user.
   + **Secondary group IDs** – Enter an optional comma-separated list of secondary group IDs.

1. (Optional) For **Root directory creation permissions**, you can specify the permissions to use when S3 Files creates the root directory path, if specified and the root directory doesn't already exist.
**Note**  
If you don't specify any root directory ownership and permissions, and the root directory does not already exist, S3 Files will not create the root directory. Any attempts to mount the file system by using the access point will fail.
   + **Owner user ID** – Enter the numeric POSIX user ID to use as the root directory owner.
   + **Owner group ID** – Enter the numeric POSIX group ID to use as the root directory owner group.
   + **Permissions** – Enter the Unix mode of the directory. A common configuration is 755. Ensure that the execute bit is set for the access point user so that they are able to mount.

1. (Optional) Under **Tags**, you can choose to add tags to your access point.

1. Choose **Create access point**.

## Using the AWS CLI


The following `create-access-point` example command shows how you can use the AWS CLI to create an access point for an S3 file system.

```
aws s3files create-access-point --file-system-id file-system-id --root-directory root-directory --posix-user posix-user
```

For example:

```
aws s3files create-access-point --file-system-id fs-abcdef0123456789a --client-token 010102020-3 \
  --root-directory "Path=/s3files/mobileapp/east,CreationInfo={OwnerUid=0,OwnerGid=11,Permissions=775}" \
  --posix-user "Uid=22,Gid=4" \
  --tags Key=Name,Value=east-users
```

**Note**  
If multiple requests to create access points on the same file system are sent in quick succession, and the file system is nearing the access points limit, you may experience a throttling response for these requests. This is to ensure that the file system does not exceed the access point quota.

# Deleting access points for an S3 file system
Delete access points

When deleting an access point, make sure no applications are actively using the access point before deletion to avoid service disruption. Once deleted, the access point and its configuration are permanently removed.

## Using the S3 console


This section explains how to use the Amazon S3 console to delete an access point for S3 Files.

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation bar at the top of the page, verify you are in the AWS Region of the file system which has the access point that you want to delete.

1. In the left navigation pane, choose **General purpose buckets**.

1. Choose a general purpose bucket your file system is attached to.

1. Select the **File systems** tab and select the file system you wish to use.

1. Select the **Access points** tab and select the access point you wish to delete.

1. Choose **Delete**.

1. In the confirmation window, type **confirm** and choose **Delete**.

## Using the AWS CLI


The following `delete-access-point` example command shows how you can use the AWS CLI to delete an access point for S3 Files.

```
aws s3files delete-access-point --access-point-id access-point-id
```

# Tagging S3 Files resources
Tags

To help you manage your S3 Files resources, you can assign your own metadata to each resource in the form of tags. With tags, you can categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This categorization is useful when you have many resources of the same type as you can quickly identify a specific resource based on the tags that you've assigned to it. You can tag S3 file system and access point resources that already exist in your account. This topic describes tags and shows you how to create them.

## Tag restrictions


The following basic restrictions apply to tags:
+ Maximum number of tags per resource – 50
+ For each resource, each tag key must be unique, and each tag key can have only one value.
+ Maximum key length – 128 Unicode characters in UTF-8
+ Maximum value length – 256 Unicode characters in UTF-8
+ The allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: `+ - = . _ : / @`.
+ Tag keys and values are case-sensitive.
+ The `aws:` prefix is reserved for AWS use. If a tag has a tag key with this prefix, then you can't edit or delete the tag's key or value. Tags with the `aws:` prefix do not count against your tags per resource limit.

You can't update or delete a resource based solely on its tags; you must specify the resource identifier. For example, to delete file systems that you tagged with a tag key called `DeleteMe`, you must use the `DeleteFileSystem` action with the resource identifiers of the file system, such as the file system ID.

When you tag public or shared resources, the tags that you assign are available only to your AWS account. No other AWS account will have access to those tags. For tag-based access control to shared resources, each AWS account must assign its own set of tags to control access to the resource.

## Using the S3 console


You can use the S3 Files console to manage tags on your resources.
+ Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
+ In the navigation bar at the top of the page, verify you are in your desired AWS Region.
+ In the left navigation pane, choose **File systems**.
+ You can specify tags for a resource when you create the resource, such as an S3 file system or an access point. Or, you can add, modify, or delete tags after creation by going to the properties of the resource.

## Using the AWS CLI


If you're using the S3 Files API, the AWS CLI, or an AWS SDK, you can use the `TagResource` S3 Files API action to apply tags to existing resources. Additionally, some resource-creating actions enable you to specify tags for a resource when the resource is created, such as when you create a file system.

The AWS CLI commands for managing tags, and the equivalent S3 Files API actions, are listed in the following table.


| CLI command | Description | Equivalent API operation | 
| --- | --- | --- | 
| tag-resource | Add new tags or update existing tags | TagResource | 
| list-tags-for-resource | Retrieve existing tags | ListTagsForResource | 
| untag-resource | Delete existing tags | UntagResource |