Troubleshooting S3 Files

Name: Troubleshooting S3 Files
Author: aws

aws/agent-toolkit-for-aws

Diagnose Amazon S3 Files mount, permission, sync, and performance failures when production or staging file access breaks.

Install

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill troubleshooting-s3-files

What is this skill?

Symptom-to-category matrix (client install, network/SG, IAM, sync, performance)
Requires AWS CLI with s3files support and valid credentials before destructive steps
Maps mount hangs, timeouts, access denied, and lost+found anomalies to runbooks
Aligns workflow with official AWS S3 Files troubleshooting documentation

Adoption & trust: 1k installs on skills.sh; 819 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Deploymicrosoft/azure-skills

Azure Deploy is a Microsoft agent skill that executes cloud releases for applications that are already planned and valid…374k installs·1.2k stars

Azure Preparemicrosoft/azure-skills

Azure Prepare is Microsoft's skill for getting applications ready to run on Azure—writing the deployment plan, generatin…374k installs·1.2k stars

Azure Storagemicrosoft/azure-skills

Azure Storage skill helps agents pick the right Azure storage service—Blob for objects, Files for SMB shares, Queues for…374k installs·1.2k stars

Azure Validatemicrosoft/azure-skills

Microsoft-guided preflight validation for Azure deployments including IaC, identity, and service-specific readiness.374k installs·1.2k stars

Appinsights Instrumentationmicrosoft/azure-skills

appinsights-instrumentation is a Microsoft Azure-skills package that walks solo builders through enabling Application In…374k installs·1.2k stars

Azure Resource Lookupmicrosoft/azure-skills

Azure Resource Lookup is a Microsoft agent skill that helps solo builders and small teams answer “what do I have in Azur…373k installs·1.2k stars

Journey fit

Primary fit

OperateError tracking

S3 Files troubleshooting is reactive production hygiene—canonical Operate when symptoms appear post-deploy. Errors subphase covers mount failures, access denied, sync drift, and degraded performance on live systems.

Common Questions / FAQ

Is Troubleshooting S3 Files safe to install?

skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Troubleshooting S3 Files

# Troubleshooting S3 Files

## Overview

Diagnoses and resolves Amazon S3 Files issues: mount failures, IAM
permissions, synchronization, conflict resolution, and performance.

For authoritative guidance, see [S3 Files Troubleshooting](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files-troubleshooting.html).

## Common Tasks

### 0. Verify Dependencies

- You MUST verify `aws` CLI is available with `s3files` subcommand support
- You MUST confirm valid AWS credentials
- You MUST ONLY check for tool existence and version — MUST NOT execute destructive or mutating commands during verification
- You MUST inform the user if any required tools are missing
- You MUST respect the user's decision to abort if tools are unavailable
- You SHOULD explain steps before executing and wait for user confirmation on write commands

### 1. Classify the Issue

| Symptom | Category |
|---|---|
| mount.s3files: command not found | A: Client Installation |
| Connection timed out during mount | B: Network/Security Group |
| Mount hangs indefinitely (no timeout) | B: Network/Security Group |
| Access denied during mount | C: IAM Permissions |
| File system stuck in "creating" | C: IAM Permissions |
| Permission denied on file operations | C: IAM Permissions |
| Files not appearing in S3 after write | D: Synchronization |
| Files in .s3files-lost+found directory | E: Conflict Resolution |
| Slow reads or high latency | F: Performance |
| NFS server error | G: Encryption/KMS |
| DNS name resolution fails | H: VPC DNS |

### 2. Category A — Client Installation

`mount.s3files: command not found` means `amazon-efs-utils` is missing or < v3.0.0.

```bash
sudo yum -y install amazon-efs-utils  # Amazon Linux
```

### 3. Category B — Network/Security Group

Connection timeout is the #1 mount failure — almost always security groups.

Verify mount target exists in the instance's AZ:

```bash
aws s3files list-mount-targets --file-system-id fs-ID --region REGION
```

Cross-AZ mounting works but adds latency.

Verify security groups — most common fix:

- Mount target SG MUST have inbound TCP 2049 from compute SG
- Compute SG MUST have outbound TCP 2049 to mount target SG
- Fix: `aws ec2 authorize-security-group-ingress --group-id sg-MT --protocol tcp --port 2049 --source-group sg-COMPUTE`

Test connectivity:

```bash
nc -zv az-ID.fs-ID.s3files.REGION.on.aws 2049
```

> **Note:** These SG troubleshooting steps also apply to EFS — use `aws efs describe-mount-targets` instead.

**Mount hangs in isolated VPC**: If the VPC has no internet access, S3 Files requires a CloudWatch Logs VPC endpoint (`com.amazonaws.REGION.logs`) for mount to complete.

### 4. Category C — IAM Permissions

**File system stuck in "creating" status:**
S3 Files does NOT validate IAM role permissions at creation time. Wrong trust policy or missing permissions → stuck in `creating` with access denied in `statusMessage`.

Check status:

```bash
aws s3files get-file-system --file-system-id fs-ID --region REGION
```

Check `statusMessage`. If access denied, fix the IAM role and delete/recreate.

**Mount access denied:** Compute role needs `s3files:ClientMount`. For dev/test only, `AmazonS3FilesClientFullAccess` is acceptable — avoid in production.

**Write permission denied:** Compute role needs `s3files:ClientWrite`

**Root access denied:** Compute role needs `s3files:ClientRootAccess`. ⚠️ Bypasses POSIX permissions — prefer access points with scoped POSIX users.

**Check file system policy:**

```bash
aws s3files get-file-system-policy --file-system-id fs-ID --region REGION
```

### 5. Category D —

What is this skill?

Symptom-to-category matrix (client install, network/SG, IAM, sync, performance)

Requires AWS CLI with s3files support and valid credentials before destructive steps

Maps mount hangs, timeouts, access denied, and lost+found anomalies to runbooks

Aligns workflow with official AWS S3 Files troubleshooting documentation

Adoption & trust: 1k installs on skills.sh; 819 GitHub stars; 2/3 security scanners passed (skills.sh audits).

SKILL.md

READMESKILL.md - Troubleshooting S3 Files

# Troubleshooting S3 Files

## Overview

Diagnoses and resolves Amazon S3 Files issues: mount failures, IAM
permissions, synchronization, conflict resolution, and performance.

For authoritative guidance, see [S3 Files Troubleshooting](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files-troubleshooting.html).

## Common Tasks

### 0. Verify Dependencies

- You MUST verify `aws` CLI is available with `s3files` subcommand support
- You MUST confirm valid AWS credentials
- You MUST ONLY check for tool existence and version — MUST NOT execute destructive or mutating commands during verification
- You MUST inform the user if any required tools are missing
- You MUST respect the user's decision to abort if tools are unavailable
- You SHOULD explain steps before executing and wait for user confirmation on write commands

### 1. Classify the Issue

| Symptom | Category |
|---|---|
| mount.s3files: command not found | A: Client Installation |
| Connection timed out during mount | B: Network/Security Group |
| Mount hangs indefinitely (no timeout) | B: Network/Security Group |
| Access denied during mount | C: IAM Permissions |
| File system stuck in "creating" | C: IAM Permissions |
| Permission denied on file operations | C: IAM Permissions |
| Files not appearing in S3 after write | D: Synchronization |
| Files in .s3files-lost+found directory | E: Conflict Resolution |
| Slow reads or high latency | F: Performance |
| NFS server error | G: Encryption/KMS |
| DNS name resolution fails | H: VPC DNS |

### 2. Category A — Client Installation

`mount.s3files: command not found` means `amazon-efs-utils` is missing or < v3.0.0.

```bash
sudo yum -y install amazon-efs-utils  # Amazon Linux
```

### 3. Category B — Network/Security Group

Connection timeout is the #1 mount failure — almost always security groups.

Verify mount target exists in the instance's AZ:

```bash
aws s3files list-mount-targets --file-system-id fs-ID --region REGION
```

Cross-AZ mounting works but adds latency.

Verify security groups — most common fix:

- Mount target SG MUST have inbound TCP 2049 from compute SG
- Compute SG MUST have outbound TCP 2049 to mount target SG
- Fix: `aws ec2 authorize-security-group-ingress --group-id sg-MT --protocol tcp --port 2049 --source-group sg-COMPUTE`

Test connectivity:

```bash
nc -zv az-ID.fs-ID.s3files.REGION.on.aws 2049
```

> **Note:** These SG troubleshooting steps also apply to EFS — use `aws efs describe-mount-targets` instead.

**Mount hangs in isolated VPC**: If the VPC has no internet access, S3 Files requires a CloudWatch Logs VPC endpoint (`com.amazonaws.REGION.logs`) for mount to complete.

### 4. Category C — IAM Permissions

**File system stuck in "creating" status:**
S3 Files does NOT validate IAM role permissions at creation time. Wrong trust policy or missing permissions → stuck in `creating` with access denied in `statusMessage`.

Check status:

```bash
aws s3files get-file-system --file-system-id fs-ID --region REGION
```

Check `statusMessage`. If access denied, fix the IAM role and delete/recreate.

**Mount access denied:** Compute role needs `s3files:ClientMount`. For dev/test only, `AmazonS3FilesClientFullAccess` is acceptable — avoid in production.

**Write permission denied:** Compute role needs `s3files:ClientWrite`

**Root access denied:** Compute role needs `s3files:ClientRootAccess`. ⚠️ Bypasses POSIX permissions — prefer access points with scoped POSIX users.

**Check file system policy:**

```bash
aws s3files get-file-system-policy --file-system-id fs-ID --region REGION
```

### 5. Category D —

Install

What is this skill?

Recommended Skills

Journey fit

Is Troubleshooting S3 Files safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Troubleshooting S3 Files safe to install?

SKILL.md