Troubleshooting Efs
Diagnose Amazon EFS mount failures, NFS timeouts, permission denials, and throughput or burst-credit problems on EC2 or container workloads.
Overview
Troubleshooting EFS is an agent skill for the Operate phase that diagnoses and resolves Amazon EFS mount failures, NFS connectivity, permissions, throughput, and burst-credit issues.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill troubleshooting-efsWhat is this skill?
- Maps symptoms to categories: missing NFS client, network/security groups, access denied, throughput, and encryption issu
- Requires aws CLI verification and amazon-efs-utils or nfs-utils on the instance before deeper diagnosis.
- MUST NOT run destructive or mutating commands during tool verification; write commands need user confirmation.
- Grounded in official AWS EFS troubleshooting documentation for mount and performance paths.
- Step-by-step flow from dependency check through issue classification and targeted fixes.
- Symptom classification table with at least categories A–C for client, network, and access-denied patterns
- Documented skill version 1
Adoption & trust: 841 installs on skills.sh; 819 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your workload cannot mount EFS, NFS calls time out, users see access denied, or file performance collapsed and you need a classified fix path—not random mount retries.
Who is it for?
Solo builders or small teams operating EC2/EKS/apps on EFS who need guided diagnosis with explicit consent before mutating mounts or security rules.
Skip if: Greenfield EFS architecture design, non-AWS file systems, or hands-off automation without reviewing proposed write commands.
When should I use this skill?
User has an EFS file system that is not mounting, returning errors, performing slowly, or showing access denied.
What do I get? / Deliverables
You get a categorized root cause (client, network, permissions, performance, encryption), verified tooling, and user-confirmed remediation steps aligned with AWS EFS troubleshooting docs.
- Classified issue category and recommended remediation steps
- Dependency verification report (aws CLI, efs/nfs utils)
- User-approved command list before mutating mounts or security configuration
Recommended Skills
Journey fit
Operate is the canonical shelf because the skill exists for live production symptoms—mount hangs, access denied, and slow NFS—not greenfield storage design. Errors subphase matches incident-style classification and remediation when shared file storage stops working or degrades.
How it compares
Focused EFS incident runbook inside AWS agent-toolkit, not a generic Linux NFS cheat sheet or Terraform provisioning skill.
Common Questions / FAQ
Who is troubleshooting-efs for?
Developers and indie operators running applications on Amazon EFS who hit mount errors, timeouts, permission failures, or throughput limits and want agent-guided diagnosis.
When should I use troubleshooting-efs?
Use it in Operate when EFS will not mount, NFS hangs or times out, the server returns access denied, or performance and burst credits look wrong; not for initial EFS provisioning design.
Is troubleshooting-efs safe to install?
The skill mandates non-destructive verification first and user confirmation before writes; still review the Security Audits panel on this page and treat AWS credential exposure as your responsibility.
SKILL.md
READMESKILL.md - Troubleshooting Efs
# Troubleshooting EFS ## Overview Domain expertise for diagnosing and resolving Amazon EFS issues. Covers mount failures, NFS connectivity, IAM and POSIX permissions, throughput and performance, and encryption problems. For authoritative guidance, see [EFS Troubleshooting](https://docs.aws.amazon.com/efs/latest/ug/troubleshooting.html). ## Common Tasks ### 0. Verify Dependencies - You MUST verify `aws` CLI is available - You MUST check if `amazon-efs-utils` or `nfs-utils` is installed on the instance - You MUST ONLY check for tool existence and version — MUST NOT execute destructive or mutating commands during verification - You MUST inform the user if any required tools are missing - You MUST respect the user's decision to abort if tools are unavailable - You SHOULD explain what each step does and why before executing it - You SHOULD display write commands and wait for user confirmation before executing ### 1. Classify the Issue | Symptom | Category | |---|---| | "wrong fs type" or mount command fails | A: Missing NFS Client | | Connection timed out (hangs 2+ min) | B: Network/Security Group | | "access denied by server" | C: IAM/Permissions | | Slow throughput or high latency | D: Performance | | NFS server error on encrypted FS | E: Encryption/KMS | | DNS name resolution fails | F: VPC DNS | ### 2. Category A — Missing NFS Client ```bash # Amazon Linux / RHEL / CentOS sudo yum -y install amazon-efs-utils # preferred (includes mount helper + TLS) # OR sudo yum -y install nfs-utils # Ubuntu / Debian sudo apt-get install nfs-common ``` ### 3. Category B — Network/Security Group Connection timeout is the #1 EFS mount failure — almost always security groups. 1. Verify mount target exists in the instance's AZ: ```bash aws efs describe-mount-targets --file-system-id fs-ID --region REGION ``` 1. Verify security groups — check BOTH directions: - Mount target SG: `aws ec2 describe-security-groups --group-ids sg-MT` — MUST have inbound TCP 2049 from compute SG - Compute SG: MUST have outbound TCP 2049 to mount target SG - Quick fix: `aws ec2 authorize-security-group-ingress --group-id sg-MT --protocol tcp --port 2049 --source-group sg-COMPUTE` 2. Test connectivity: ```bash nc -zv fs-ID.efs.REGION.amazonaws.com 2049 ``` > **Note:** These security group troubleshooting steps also apply to S3 Files. The only difference is S3 Files uses `aws s3files list-mount-targets` instead of `aws efs describe-mount-targets`. ### 4. Category C — IAM/Permissions **"access denied by server" with `-o iam`:** - Check identity-based IAM policy has `elasticfilesystem:ClientMount` - Check file system resource policy: ```bash aws efs describe-file-system-policy --file-system-id fs-ID --region REGION ``` **Note:** IAM authorization is only enforced when a file system policy exists that requires it. Without a file system policy, any client in the VPC with port 2049 access can mount — even with `-o iam`. To enforce IAM, you MUST create a file system policy that denies anonymous access. **POSIX permission denied (not IAM):** - Check file/directory ownership: `ls -la /mnt/efs/` - Use access points to enforce UID/GID for consistent permissions ### 5. Category D — Performance **Check throughput mode:** ```bash aws efs describe-file-systems --file-system-id fs-ID --region REGION --query 'FileSystems[0].ThroughputMode' ``` **Burst credit exhaustion (Bursting mode only):** ```bash aws cloudwatch get-metric-statistics --namespace AWS/EFS --metric-name BurstCreditBalance --dimensions Name=FileSystemId,Value=fs-ID --period 3600 --statistics Average --start-time $(date -u -d '24 hours ago' +%Y-