AWS EBS and EFS — Block Storage, Shared Filesystems, and FSx
A full walkthrough of AWS block and file storage — EBS volume types, snapshots, encryption, EFS shared filesystems, performance modes, and Amazon FSx
Storage Types on AWS
AWS offers three categories of storage:
| Type | Service | Use Case |
|---|---|---|
| Object storage | S3 | Files, images, backups, static websites |
| Block storage | EBS | OS disks, databases, anything needing a filesystem |
| File storage | EFS, FSx | Shared filesystems across multiple EC2 instances |
EBS — Elastic Block Store
EBS provides persistent block storage for EC2 instances. It behaves like a hard drive — you format it, mount it, and use it like a local disk. Unlike instance store, EBS volumes persist independently of the instance lifecycle. When you stop or terminate an instance, the EBS root volume is retained (unless you configured “delete on termination”).
Key Properties
- Lives in a single Availability Zone — cannot be attached to instances in a different AZ
- Can be detached from one instance and re-attached to another (same AZ)
- Supports snapshots — point-in-time backups stored in S3
- One EBS volume can only attach to one EC2 instance at a time (except io1/io2 multi-attach)
- EBS Optimized instances dedicate network bandwidth exclusively to EBS I/O
EBS Volume Types
📸 SCREENSHOT: EC2 → Elastic Block Store → Volumes → Create Volume. Show the volume type dropdown with the options listed, and the Size/IOPS/Throughput fields that appear when gp3 is selected.
SSD Volumes
| Type | IOPS | Throughput | Use Case |
|---|---|---|---|
| gp3 (General Purpose) | Up to 16,000 | Up to 1,000 MB/s | Default choice — OS, web servers, dev |
| gp2 (older General Purpose) | Up to 16,000 | Up to 250 MB/s | Legacy — prefer gp3 |
| io2 Block Express | Up to 256,000 | Up to 4,000 MB/s | Mission-critical databases (SAP, Oracle) |
| io1 | Up to 64,000 | Up to 1,000 MB/s | High-performance databases |
gp3 vs gp2: gp3 is cheaper and lets you configure IOPS and throughput independently. With gp2, IOPS scales automatically with volume size (3 IOPS/GB, max 16,000 at 5,334 GB). With gp3, you get 3,000 IOPS baseline and can provision up to 16,000 IOPS regardless of size.
HDD Volumes
| Type | Throughput | Use Case |
|---|---|---|
| st1 (Throughput Optimised) | Up to 500 MB/s | Sequential reads — Hadoop, ETL, log processing |
| sc1 (Cold) | Up to 250 MB/s | Infrequent access, lowest cost |
HDD volumes cannot be boot volumes. Use them for large sequential workloads where cost matters more than IOPS.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Create a gp3 volume with custom IOPS and throughput
aws ec2 create-volume \
--volume-type gp3 \
--size 200 \
--iops 6000 \
--throughput 400 \
--availability-zone eu-west-1a \
--encrypted \
--kms-key-id arn:aws:kms:eu-west-1:123456789012:key/mrk-abc123
# Modify a running volume (live resize, no downtime)
aws ec2 modify-volume \
--volume-id vol-0abc123 \
--size 500 \
--iops 10000
# Attach to an instance
aws ec2 attach-volume \
--volume-id vol-0abc123 \
--instance-id i-0abc123 \
--device /dev/sdf
# After attach, format and mount (on the instance)
# lsblk # find the device name
# mkfs -t xfs /dev/xvdf # format (first time only)
# mkdir /data
# mount /dev/xvdf /data
# echo '/dev/xvdf /data xfs defaults 0 0' >> /etc/fstab # persist across reboots
EBS Snapshots
A snapshot is a point-in-time backup of an EBS volume, stored in S3 (managed by AWS, not visible in your S3 console). Snapshots are incremental — only the blocks that changed since the last snapshot are saved. You can create a volume from a snapshot in any AZ — this is how you migrate data across AZs or regions.
📸 SCREENSHOT: EC2 → Elastic Block Store → Snapshots → Create Snapshot. Show the volume selected, description field, and the resulting snapshot with status “completed” and size shown.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Create a snapshot
aws ec2 create-snapshot \
--volume-id vol-0abc123 \
--description "Daily backup $(date +%Y-%m-%d)"
# List snapshots
aws ec2 describe-snapshots --owner-ids self --output table
# Create a volume from a snapshot (in a different AZ)
aws ec2 create-volume \
--snapshot-id snap-0abc123 \
--availability-zone eu-west-1b \
--volume-type gp3
# Copy snapshot to another region (for DR)
aws ec2 copy-snapshot \
--source-region eu-west-1 \
--source-snapshot-id snap-0abc123 \
--description "DR copy" \
--region us-east-1
# Delete a snapshot
aws ec2 delete-snapshot --snapshot-id snap-0abc123
Amazon Data Lifecycle Manager (DLM)
DLM automates snapshot creation and deletion on a schedule.
1
2
3
4
5
6
7
8
9
10
11
12
13
aws dlm create-lifecycle-policy \
--description "Daily EBS snapshots" \
--state ENABLED \
--execution-role-arn arn:aws:iam::123456789012:role/AWSDataLifecycleManagerDefaultRole \
--policy-details '{
"ResourceTypes": ["VOLUME"],
"TargetTags": [{"Key": "Backup", "Value": "daily"}],
"Schedules": [{
"Name": "Daily",
"CreateRule": {"Interval": 24, "IntervalUnit": "HOURS", "Times": ["03:00"]},
"RetainRule": {"Count": 7}
}]
}'
EBS Encryption
EBS encryption uses AWS KMS to encrypt data at rest and in transit between the instance and volume. Encryption is transparent — your application sees unencrypted data; the EBS driver handles it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Create an encrypted volume
aws ec2 create-volume \
--size 100 \
--volume-type gp3 \
--availability-zone eu-west-1a \
--encrypted
# Enable encryption by default for all new volumes in the account
aws ec2 enable-ebs-encryption-by-default
# Encrypt an existing unencrypted volume:
# 1. Create a snapshot of the volume
# 2. Copy the snapshot with encryption enabled
aws ec2 copy-snapshot \
--source-region eu-west-1 \
--source-snapshot-id snap-0abc123 \
--encrypted \
--region eu-west-1
# 3. Create a new volume from the encrypted snapshot
# 4. Detach old volume, attach new volume
Multi-Attach
io1 and io2 volumes support Multi-Attach — the same volume can be attached to up to 16 Nitro-based EC2 instances in the same AZ simultaneously. Each instance has full read/write access. You must use a filesystem that supports concurrent writes (like a cluster filesystem) — standard filesystems like ext4/XFS are not safe for multi-attach. Use for clustered applications: Oracle RAC, custom HA database solutions.
EFS — Elastic File System
EFS is a managed NFS (Network File System) service. Unlike EBS (which attaches to one instance), EFS can be mounted on hundreds or thousands of EC2 instances simultaneously — and from multiple AZs. It grows and shrinks automatically — you don’t provision capacity.
EFS vs EBS
| EBS | EFS | |
|---|---|---|
| Protocol | Block | NFS (NFSv4) |
| Attach to | One EC2 instance (io1/io2: up to 16) | Thousands of EC2 instances, Lambda, ECS, EKS |
| Availability | Single AZ | Multi-AZ (within a region) |
| Capacity | You provision size | Scales automatically |
| OS support | Any | Linux only (Windows requires FSx) |
| Use case | Databases, OS disks | Shared content, web serving, CMS, ML training data |
EFS Concepts
Performance Modes
| Mode | Use Case |
|---|---|
| General Purpose | Default — latency-sensitive workloads (web serving, CMS, home directories) |
| Max I/O | Massively parallel workloads — higher throughput, slightly higher latency (big data, media) |
Throughput Modes
| Mode | Behaviour |
|---|---|
| Elastic | Automatically scales throughput based on workload — default, pay-per-use |
| Provisioned | You set a fixed throughput level — use when your workload exceeds elastic limits |
| Bursting | Throughput scales with filesystem size — legacy option |
Storage Classes
| Class | Use Case | Availability |
|---|---|---|
| Standard | Frequently accessed files | Multi-AZ |
| Standard-IA | Infrequent access — lower cost, small retrieval fee | Multi-AZ |
| One Zone | Frequently accessed, single AZ | Single AZ (lower cost) |
| One Zone-IA | Infrequent access, single AZ | Single AZ (lowest cost) |
Use lifecycle policies to automatically move files to Standard-IA after N days of no access.
EFS Setup
📸 SCREENSHOT: EFS → Create File System. Show the VPC selection, regional vs One Zone availability, and the performance settings section.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Create an EFS filesystem
aws efs create-file-system \
--performance-mode generalPurpose \
--throughput-mode elastic \
--encrypted \
--tags Key=Name,Value=shared-storage
# Create mount targets (one per AZ — EFS needs to be reachable in each AZ you use)
aws efs create-mount-target \
--file-system-id fs-0abc123 \
--subnet-id subnet-private-1a \
--security-groups sg-efs
aws efs create-mount-target \
--file-system-id fs-0abc123 \
--subnet-id subnet-private-1b \
--security-groups sg-efs
# Mount on an EC2 instance (NFS)
# Install EFS utils first: yum install -y amazon-efs-utils
mkdir /mnt/efs
mount -t efs fs-0abc123:/ /mnt/efs
# Mount with IAM authorization and encryption in transit
mount -t efs -o tls,iam fs-0abc123:/ /mnt/efs
# Persist in /etc/fstab
echo 'fs-0abc123:/ /mnt/efs efs _netdev,tls,iam 0 0' >> /etc/fstab
EFS Security Group Rules
The EFS mount target needs to accept NFS traffic (port 2049) from your EC2 instances:
1
2
3
4
5
6
EFS Mount Target Security Group:
Inbound: TCP 2049 from EC2 Security Group
Outbound: all (default)
EC2 Security Group:
Outbound: TCP 2049 to EFS Mount Target Security Group
EFS Access Points
Access Points are named entry points into an EFS filesystem with a specific path, POSIX user identity, and permissions. Use access points to give different applications isolated access to the same filesystem.
1
2
3
4
5
# Create an access point rooted at /data/app1
aws efs create-access-point \
--file-system-id fs-0abc123 \
--root-directory 'Path=/data/app1,CreationInfo={OwnerUid=1000,OwnerGid=1000,Permissions=755}' \
--posix-user 'Uid=1000,Gid=1000'
Amazon FSx
FSx is a family of managed filesystem services for Windows and high-performance workloads. EFS is Linux-only NFS; FSx covers the rest.
| Service | Protocol | Use Case |
|---|---|---|
| FSx for Windows File Server | SMB | Windows workloads, Active Directory integration, NTFS |
| FSx for Lustre | Lustre (POSIX) | HPC, ML training, video rendering — very high throughput |
| FSx for NetApp ONTAP | NFS, SMB, iSCSI | Enterprise storage, multi-protocol, snapshots, clones |
| FSx for OpenZFS | NFS | High-performance NFS with ZFS snapshots and clones |
FSx for Windows File Server
The go-to choice for Windows workloads that need shared file storage:
- Integrates with AWS Managed Microsoft AD or self-managed Active Directory
- Supports SMB protocol (Windows native file sharing)
- Supports DFS Namespaces for scaling across multiple file systems
- Supports Microsoft DFSR for replication
FSx for Lustre
Designed for workloads that need massive throughput — ML training on large datasets, HPC simulations, video rendering. Can integrate directly with S3 — lazy-loads S3 objects into Lustre on first access, writes results back to S3.
Choosing the Right Storage
| Need | Use |
|---|---|
| EC2 root volume / database | EBS (gp3 default, io2 for high IOPS) |
| Shared storage across Linux EC2s | EFS |
| Shared storage for Windows EC2s | FSx for Windows File Server |
| HPC / ML training data | FSx for Lustre |
| Backups of EC2 volumes | EBS Snapshots |
| Backup orchestration across services | AWS Backup |
| Cold archive | EBS snapshot → S3 Glacier |
Quick Reference
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# EBS
aws ec2 describe-volumes --output table
aws ec2 describe-volumes --filters "Name=attachment.instance-id,Values=i-0abc123"
aws ec2 describe-snapshots --owner-ids self --output table
# Create snapshot of all volumes on an instance
INSTANCE_ID=i-0abc123
for VOL in $(aws ec2 describe-instances --instance-ids $INSTANCE_ID \
--query 'Reservations[0].Instances[0].BlockDeviceMappings[*].Ebs.VolumeId' \
--output text); do
aws ec2 create-snapshot --volume-id $VOL --description "Backup $VOL"
done
# EFS
aws efs describe-file-systems --output table
aws efs describe-mount-targets --file-system-id fs-0abc123
# FSx
aws fsx describe-file-systems --output table