AWS EFS vs EBS Multi-Attach – Shared Storage Guide

AWS EFS vs EBS Multi-Attach

AWS EFS vs EBS Multi-Attach

📝 Post Updated – June 2026

This post has been updated to reflect the latest EFS and EBS enhancements including EFS Archive storage class, Elastic Throughput performance improvements (up to 20 GiB/s read), EBS io2 Block Express with NVMe Reservations for Multi-Attach, and cross-account replication support.

EFS vs EBS Multi-Attach features

  • Elastic File System – EFS is a fully managed, serverless file storage service for use with Amazon compute (EC2, containers, serverless) and on-premises servers. EFS provides a file system interface, file system access semantics (such as strong consistency and file locking), and concurrently accessible storage for up to thousands of EC2 instances.
  • Elastic Block Store – EBS is a block-level storage service for use with EC2. EBS can deliver performance for workloads that require the lowest-latency access to data from a single EC2 instance. EBS Multi-Attach is supported on Provisioned IOPS SSD volumes (io1 and io2) for concurrent access from multiple instances.
  • Service type
    • Elastic File System is fully managed and serverless — automatically scales storage capacity up or down.
    • EBS needs to be managed by the user — requires provisioning capacity upfront.
  • Accessibility
    • EFS can be accessed concurrently from all AZs in the Region via mount targets. Also supports cross-Region and cross-account replication (Nov 2024).
    • EBS Multi-Attach can be accessed concurrently from instances within the same AZ only.
  • Data Scalability
    • EFS provides virtually unlimited data storage — scales automatically to petabytes.
    • EBS Multi-Attach has limits on the storage it can provide (io2 Block Express supports up to 64 TiB per volume).
  • Instance Scalability
    • EFS can be attached to tens, hundreds, or even thousands of compute instances concurrently.
    • EBS Multi-Attach enabled volumes can be attached to up to 16 Linux instances built on the Nitro System.
  • Supported Instances
    • EFS is compatible with all Linux-based AMIs for EC2, uses NFS v4.1 protocol (POSIX-compliant). EFS is not supported on Windows instances.
    • Multi-Attach enabled volumes can be attached to up to 16 instances built on the Nitro System that are in the same AZ. With NVMe Reservations (io2 volumes, Sept 2023), Multi-Attach now supports Windows Server Failover Clusters with I/O fencing for safe write access coordination.
  • Storage Classes
    • EFS offers four storage classes: Standard, Standard-IA (Infrequent Access), One Zone, and One Zone-IA. Additionally, EFS Archive (launched Nov 2023) provides up to 72% lower cost than EFS IA for rarely accessed data with automatic intelligent tiering.
    • EBS Multi-Attach is supported on Provisioned IOPS SSD volumes — io1 and io2 (including io2 Block Express).
  • Performance
    • EFS with Elastic Throughput supports up to 20 GiB/s read throughput and 5 GiB/s write throughput (March 2024 update), with up to 1.5 GiB/s per client (May 2024 update). Supports sub-millisecond latency for Standard storage class.
    • EBS io2 Block Express delivers sub-millisecond latency with up to 256,000 IOPS, 4,000 MB/s throughput per volume.
  • I/O Fencing & Coordination
    • EFS handles file locking and consistency natively via NFS protocol semantics.
    • EBS Multi-Attach with io2 volumes supports NVMe Reservations (Sept 2023), enabling I/O fencing for safe write access coordination across cluster nodes — critical for Windows Server Failover Clusters and clustered databases.
  • Data Protection
    • EFS supports replication (cross-Region and cross-account), AWS Backup integration, and lifecycle management with automatic tiering.
    • EBS supports snapshots, Amazon Data Lifecycle Manager for automated snapshot management, and volume-level encryption.
  • Pricing
    • EFS is priced as per the pay-as-you-use model — only pay for storage consumed.
    • EBS is priced as per the provisioned capacity — pay for allocated storage even if unused.

Recent Updates (2023-2025)

Amazon EFS Updates

  • EFS Archive Storage Class (Nov 2023) – New lowest-cost storage class offering up to 72% lower cost than EFS Infrequent Access for rarely accessed data. Supports automatic intelligent tiering from Standard → IA → Archive.
  • Elastic Throughput – 20 GiB/s (March 2024) – Maximum throughput doubled to 20 GiB/s read (from 10 GiB/s) and 5 GiB/s write (from 3 GiB/s).
  • Per-client Throughput – 1.5 GiB/s (May 2024) – Maximum per-client throughput tripled to 1.5 GiB/s (from 500 MiB/s).
  • Cross-account Replication (Nov 2024) – EFS now supports replicating file systems between AWS accounts for enhanced disaster recovery.
  • 10,000 Access Points per File System (Feb 2025) – Limit increased 10x from 1,000 to 10,000 access points per file system for container and serverless workloads.

Amazon EBS Multi-Attach Updates

  • NVMe Reservations for io2 (Sept 2023) – Enables I/O fencing for Multi-Attach volumes, providing safe write access coordination across cluster nodes. Enabled by default for all Multi-Attach io2 volumes created after September 18, 2023.
  • Windows Server Failover Cluster Support – With NVMe Reservations, EBS Multi-Attach io2 volumes now support Windows Server Failover Clusters (WSFC) with proper I/O fencing, enabling SQL Server Failover Cluster Instances.
  • io2 Block Express Performance – Delivers up to 256,000 IOPS, 4,000 MB/s throughput, 64 TiB capacity per volume with 99.999% durability and sub-millisecond latency.
  • Expanded Instance Type Support (2025) – Multi-Attach support expanded to additional Nitro-based instance types.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company wants to organize the contents of multiple websites in managed file storage. The company must be able to scale the storage based on demand without needing to provision storage. Multiple servers across multiple Availability Zones within a region should be able to access this storage concurrently. Which services should the Solutions Architect recommend?
    1. Amazon S3
    2. Amazon EBS Multi-Attach
    3. Amazon EFS
    4. AWS Storage Gateway – Volume gateway
  2. A company requires shared block storage for a clustered database running on multiple EC2 instances within the same Availability Zone. The solution must support I/O fencing to prevent data corruption during failover scenarios. Which solution meets these requirements?
    1. Amazon EFS with General Purpose performance mode
    2. Amazon EBS io2 Multi-Attach with NVMe Reservations
    3. Amazon EBS gp3 with Multi-Attach enabled
    4. Amazon FSx for Windows File Server
  3. A company needs to store large amounts of rarely accessed files that still need to be part of the same file system namespace as their frequently accessed data. The solution must minimize costs while maintaining immediate access when needed. Which storage configuration is MOST cost-effective?
    1. Amazon S3 Glacier Instant Retrieval
    2. Amazon EFS with Standard storage class only
    3. Amazon EFS with lifecycle management using Standard, Infrequent Access, and Archive storage classes
    4. Amazon EBS with Cold HDD (sc1) volumes
  4. A company wants to deploy a Windows Server Failover Cluster on AWS for a SQL Server Always On Failover Cluster Instance. The shared storage must support concurrent access from multiple instances with proper write coordination. Which solution meets these requirements?
    1. Amazon EFS mounted on Windows instances
    2. Amazon EBS gp3 with Multi-Attach
    3. Amazon EBS io2 Multi-Attach with NVMe Reservations
    4. Amazon S3 with S3 File Gateway
  5. A media company runs a video processing workload across hundreds of EC2 instances that need to read and write to a shared file system. The workload requires up to 15 GiB/s of read throughput during peak hours. Which storage solution meets these requirements? (Select TWO)
    1. Amazon EFS with Elastic Throughput mode
    2. Amazon EBS io2 with Multi-Attach
    3. Amazon S3 with S3 Transfer Acceleration
    4. Amazon EFS Regional file system with General Purpose performance mode
    5. Amazon FSx for Lustre

📖 Related: AWS S3 vs EBS vs EFS – Complete Storage Comparison Guide

References

AWS EFS – Elastic File System & Performance Modes

Elastic File System – EFS

  • Amazon Elastic File System (EFS) provides a simple, fully managed, easy to set up, scalable, serverless, and cost-optimized file storage for use with AWS Cloud and on-premises resources.
  • can automatically scale from gigabytes to petabytes of data without needing to provision storage.
  • provides managed NFS (network file system) that can be mounted on and accessed by multiple EC2 instances in multiple AZs simultaneously.
  • offers highly durable, highly scalable, and highly available storage.
    • stores data redundantly across multiple AZs in the same region (Regional file systems) or within a single AZ (One Zone file systems)
    • grows and shrinks automatically as files are added and removed, so there is no need to manage storage procurement or provisioning.
  • supports the Network File System version 4 (NFSv4.1 and NFSv4.0) protocol
  • provides file system access semantics, such as strong data consistency and file locking
  • is compatible with all Linux-based AMIs for EC2, POSIX file system (~Linux) that has a standard file API
  • is a shared POSIX system for Linux systems and does not work for Windows
  • offers the ability to encrypt data at rest using KMS and in transit.
  • can be accessed from on-premises using an AWS Direct Connect or AWS VPN connection between the on-premises datacenter and VPC.
  • can be accessed concurrently from servers in the on-premises data center as well as EC2 instances in the VPC
  • supports IPv6 on EFS Service APIs and mount targets (added June 2025)
  • supports integration with AWS Lambda, Amazon ECS, Amazon EKS (including Fargate), and other containerized/serverless compute services.

EFS File System Types

  • Regional (Recommended)
    • stores data redundantly across multiple Availability Zones in an AWS Region
    • offers the highest levels of durability and availability
    • supports all performance and throughput modes
  • One Zone
    • stores data within a single Availability Zone
    • offers lower cost with additional savings
    • does not support Max I/O performance mode

EFS Storage Classes

EFS Storage Classes

Standard storage classes

  • EFS Standard and Standard-Infrequent Access (Standard-IA), offer multi-AZ resilience and the highest levels of durability and availability.
  • For file systems using Standard storage classes, a mount target can be created in each Availability Zone in the AWS Region.
  • Standard
    • regional storage class for frequently accessed data.
    • offers the highest levels of availability and durability by storing file system data redundantly across multiple AZs in an AWS Region.
    • uses SSD storage to deliver the lowest levels of latency (~1 ms read, ~2.7 ms write)
    • ideal for active file system workloads and you pay only for the file system storage you use per month
  • Standard-Infrequent Access (Standard-IA)
    • regional, low-cost storage class that’s cost-optimized for files infrequently accessed i.e. not accessed every day
    • offers the highest levels of availability and durability by storing file system data redundantly across multiple AZs in an AWS Region
    • cost to retrieve files, lower price to store
    • provides first-byte latencies of tens of milliseconds

EFS Regional

One Zone storage classes

  • EFS One Zone and One Zone-Infrequent Access (One Zone-IA) offer additional savings by saving the data in a single AZ.
  • For file systems using One Zone storage classes, only a single mount target that is in the same Availability Zone as the file system needs to be created.
  • EFS One Zone
    • For frequently accessed files stored redundantly within a single AZ in an AWS Region.
  • EFS One Zone-IA (One Zone-IA)
    • A lower-cost storage class for infrequently accessed files stored redundantly within a single AZ in an AWS Region.

EFS Zonal

EFS Archive Storage Class

  • EFS Archive is a storage class designed for rarely accessed data, launched in November 2023.
  • delivers storage prices up to 50% lower compared to EFS Infrequent Access (IA) and up to 97% lower compared to EFS Standard.
  • costs only $0.008/GB-month.
  • supports the same intelligent tiering experience as existing EFS storage classes.
  • provides first-byte latencies of tens of milliseconds (same as IA).
  • ideal for storing compliance data, historical records, and rarely accessed datasets that still need to be in a shared file system.
  • by default, files not accessed in Standard storage for 90 days are transitioned into the Archive storage class.
  • available only for Regional file systems.

EFS Lifecycle Management

  • EFS lifecycle management automatically manages cost-effective file storage for the file systems.
  • When enabled, lifecycle management migrates files that haven’t been accessed for a set period of time to an infrequent access storage class, Standard-IA or One Zone-IA.
  • Lifecycle Management automatically moves the data to the EFS IA storage class according to the lifecycle policy. for e.g., you can move files automatically into EFS IA fourteen days after not being accessed.
  • Lifecycle management uses an internal timer to track when a file was last accessed and not the POSIX file system attribute that is publicly viewable.
  • Whenever a file in Standard or One Zone storage is accessed, the lifecycle management timer is reset.
  • After lifecycle management moves a file into one of the IA storage classes, the file remains there indefinitely if EFS Intelligent-Tiering is not enabled.
  • Supported lifecycle transition periods: 1, 7, 14, 30, 60, 90, 180, 270, or 365 days after last access.
  • Files can also be automatically transitioned from IA to Archive storage (default 90 days after last access in Standard).

EFS Intelligent-Tiering

  • EFS Intelligent-Tiering delivers automatic cost savings for workloads with changing access patterns.
  • automatically moves files between storage classes based on access patterns:
    • Moves infrequently accessed files from Standard to IA (or from One Zone to One Zone-IA)
    • Moves files back to Standard (or One Zone) storage on first access if “Transition into Standard” policy is set to “On first access”
    • Moves rarely accessed files from IA to Archive
  • eliminates the risk of unbounded access charges while providing consistent low latencies for active data.
  • EFS transparently serves files across all storage classes from a common file system namespace.

EFS Performance Modes

General Purpose (Default, Recommended)

  • lowest per-operation latency (~1 ms read, ~2.7 ms write for Regional)
  • ideal for web serving environments, content management systems, home directories, and general file serving
  • supports up to 2.5 million read IOPS and 500,000 write IOPS per file system with Elastic Throughput (as of Nov 2024, a 10x increase over previous limits)
  • recommended for ALL file systems; AWS recommends always using General Purpose performance mode
  • One Zone file systems always use General Purpose performance mode

Max I/O (Previous Generation)

  • can scale to higher levels of aggregate throughput and operations per second
  • with a tradeoff of slightly higher latencies for file metadata operations
  • designed for highly parallelized applications and workloads, such as big data analysis, media processing, and genomic analysis
  • is NOT available for file systems using One Zone storage classes or Elastic throughput mode
  • AWS now recommends using General Purpose performance mode instead; with Elastic throughput, General Purpose now provides up to 2.5 million IOPS, surpassing Max I/O for most use cases
  • performance mode cannot be changed after file system creation; a new file system must be created to switch modes

EFS Throughput Modes

Elastic Throughput (Default, Recommended)

  • automatically scales throughput performance up or down to meet workload activity needs
  • recommended for most use cases, especially spiky or unpredictable workloads
  • ideal for applications that drive throughput at an average-to-peak ratio of 5% or less
  • pay only for the amount of data read or written; no burst credits consumed
  • supports up to 60 GiBps read throughput and 5 GiBps write throughput per file system (region-dependent)
  • supports up to 1,500 MiBps per-client throughput (with EFS client v2.0+ or EFS CSI Driver)
  • supports up to 2.5 million read IOPS and 500,000 write IOPS (with quota increase, up to 10x)
  • not compatible with Max I/O performance mode

Provisioned Throughput

  • throughput of the file system (in MiB/s) can be instantly provisioned independent of the amount of data stored
  • use when workload performance requirements are known and average-to-peak ratio is 5% or more
  • supports up to 10 GiBps read and 3.33 GiBps write throughput
  • supports up to 55,000 read IOPS and 25,000 write IOPS

Bursting Throughput

  • throughput on EFS scales as the size of the file system in the EFS Standard or One Zone storage class grows
  • base throughput of 50 KiBps per GiB of Standard storage
  • can burst up to 100 MiBps per TiB when burst credits are available
  • supports up to 35,000 read IOPS and 7,000 write IOPS
  • if throughput-constrained, consider switching to Elastic or Provisioned throughput

EFS Replication

  • EFS Replication enables automatic replication of file system data to another AWS Region or Availability Zone.
  • supports cross-Region replication for disaster recovery and compliance use cases.
  • supports cross-account replication (added November 2024), allowing replication between different AWS accounts.
  • all replication traffic stays on the AWS global backbone network.
  • most changes are replicated within a minute, with an overall Recovery Point Objective (RPO) of 15 minutes for most file systems.
  • replication does not consume burst credits and does not count against provisioned throughput.
  • available in all AWS Regions where Amazon EFS is available.
  • useful for business continuity, localized data access, and test/development environments.

EFS Security

  • EFS supports authentication, authorization, and encryption capabilities to help meet security and compliance requirements.
  • EFS supports two forms of encryption for file systems,
    • Encryption in transit
      • Encryption in Transit can be enabled when you mount the file system using TLS.
    • Encryption at rest.
      • encrypts all the data and metadata
      • can be enabled only when creating an EFS file system.
      • to encrypt an existing unencrypted EFS file system, create a new encrypted EFS file system, and migrate the data using AWS DataSync.
  • NFS client access to EFS is controlled by both AWS IAM policies and network security policies like security groups.

EFS Access Points

  • EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets.
  • Access points can enforce a user identity, including the user’s POSIX groups, for all file system requests that are made through the access point.
  • Access points can enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories.
  • AWS IAM policies can be used to enforce that specific applications use a specific access point.
  • IAM policies with access points provide secure access to specific datasets for the applications.
  • A single file system supports up to 10,000 access points (increased from 1,000 in February 2025).

EFS Integration with Compute Services

  • Amazon EC2 – Mount EFS file systems on Linux-based EC2 instances across multiple AZs.
  • AWS Lambda – Mount EFS as shared file storage for Lambda functions within a VPC for sharing data across invocations.
  • Amazon ECS / AWS Fargate – Use EFS as persistent storage for containerized workloads via task definitions.
  • Amazon EKS – Mount EFS via the EFS CSI Driver as persistent volumes for Kubernetes pods, including Fargate pods.
  • Amazon SageMaker – Use EFS for ML training data and shared notebooks.
  • EFS is NOT supported on Windows instances. Use Amazon FSx for Windows File Server for Windows workloads.

EFS vs EBS vs S3

  • EFS – Shared file storage (NFS), multiple instances/AZs, Linux only, auto-scaling, POSIX compliant
  • EBS – Block storage, single instance (except multi-attach io1/io2), single AZ, fixed provisioned size
  • S3 – Object storage, unlimited scale, not a file system, accessed via API/SDK

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. An administrator runs a highly available application in AWS. A file storage layer is needed that can share between instances and scale the platform more easily. The storage should also be POSIX compliant. Which AWS service can perform this action?
    1. Amazon EBS
    2. Amazon S3
    3. Amazon EFS
    4. Amazon EC2 Instance store
  2. A company has a data analytics workload that processes large datasets. Files are actively used for the first 30 days, occasionally accessed for the next 60 days, and rarely accessed after that. The company wants to minimize storage costs while keeping all data in a single file system. Which EFS configuration best meets these requirements?
    1. Use EFS Standard with Provisioned Throughput
    2. Use EFS with Intelligent-Tiering enabled, with lifecycle policies to transition to IA after 30 days and Archive after 90 days
    3. Use EFS One Zone-IA for all data
    4. Use EFS Standard with Bursting Throughput and manual data migration
  3. A machine learning team needs a shared file system that can handle highly parallel read-heavy workloads with millions of IOPS. They want the file system to automatically scale throughput without pre-provisioning. Which EFS configuration should they choose?
    1. General Purpose performance mode with Bursting Throughput
    2. Max I/O performance mode with Provisioned Throughput
    3. General Purpose performance mode with Elastic Throughput
    4. One Zone file system with Elastic Throughput
  4. A company needs to maintain a disaster recovery copy of their EFS file system in a different AWS Region and a different AWS account for compliance purposes. Which approach meets these requirements with the LEAST operational overhead?
    1. Use AWS DataSync to schedule periodic cross-region, cross-account transfers
    2. Configure EFS cross-account, cross-Region replication
    3. Use AWS Backup with cross-account, cross-region copy rules
    4. Create a custom Lambda function to sync files between accounts and regions
  5. A containerized application running on Amazon EKS with Fargate needs persistent shared storage accessible across multiple pods in different Availability Zones. Which storage solution is most appropriate?
    1. Amazon EBS with multi-attach
    2. Amazon EFS with the EFS CSI Driver
    3. Amazon S3 mounted via s3fs
    4. Amazon FSx for Lustre

References

AWS Storage Services Cheat Sheet

AWS Storage Services Cheat Sheet

AWS Storage Services

Simple Storage Service – S3

  • provides key-value based object storage with unlimited storage, unlimited objects up to 5 TB for the internet
  • offers an extremely durable, highly available, and infinitely scalable data storage infrastructure at very low costs.
  • is Object-level storage (not a Block level storage) and cannot be used to host OS or dynamic websites (but can work with Javascript SDK)
  • provides durability by redundantly storing objects on multiple facilities within a region
  • regularly verifies the integrity of data using checksums and provides the auto-healing capability
  • S3 resources consist of globally unique buckets with objects and related metadata. The data model is a flat structure with no hierarchies or folders.
  • As of March 2026, S3 stores more than 500 trillion objects, serves more than 200 million requests per second globally across hundreds of exabytes of data.
  • S3 Replication enables automatic, asynchronous copying of objects across S3 buckets in the same or different AWS regions using SRR or CRR. Replication needs versioning enabled on either side.
  • S3 Transfer Acceleration helps speed data transport over long distances between a client and an S3 bucket using CloudFront edge locations.
  • S3 supports cost-effective Static Website hosting with Client-side scripts.
  • S3 CORS – Cross-Origin Resource Sharing allows cross-origin access to S3 resources.
  • S3 Access Logs enables tracking access requests to an S3 bucket.
  • S3 notification feature enables notifications to be triggered when certain events happen in the bucket.
  • S3 Inventory helps manage the storage and can be used to audit and report on the replication and encryption status of the objects for business, compliance, and regulatory needs.
  • Requestor Pays help bucket owner to specify that the requester requesting the download will be charged for the download.
  • S3 Batch Operations help perform large-scale batch operations on S3 objects and can perform a single operation on lists of specified S3 objects.
  • Pre-Signed URLs can be used shared for uploading/downloading objects for a limited time without requiring AWS security credentials.
  • Multipart Uploads allows
    • parallel uploads with improved throughput and bandwidth utilization
    • fault tolerance and quick recovery from network issues
    • ability to pause and resume uploads
    • begin an upload before the final object size is known
  • Versioning
    • helps preserve, retrieve, and restore every version of every object
    • protect from unintended overwrites and accidental deletions
    • protects individual files but does NOT protect from Bucket deletion
  • MFA (Multi-Factor Authentication) can be enabled for additional security for the deletion of objects.
  • Integrates with CloudTrail, CloudWatch, and SNS for event notifications
  • S3 Object Lock
    • provides Write-Once-Read-Many (WORM) protection for S3 objects
    • prevents objects from being deleted or overwritten for a fixed amount of time or indefinitely
    • Governance Mode – users with specific IAM permissions can remove the lock
    • Compliance Mode – no user, including the root account, can remove the lock until retention period expires
    • supports Legal Hold which prevents object deletion indefinitely until explicitly removed
    • requires versioning to be enabled on the bucket
  • S3 Storage Classes
    • S3 Standard
      • default storage class, ideal for frequently accessed data
      • 99.999999999% durability & 99.99% availability
      • Low latency and high throughput performance
      • designed to sustain the loss of data in two facilities
    • S3 Intelligent-Tiering
      • automatically moves data between access tiers based on access patterns with no retrieval charges
      • includes Frequent Access (default), Infrequent Access (after 30 days, 40% lower cost), and Archive Instant Access (after 90 days, 68% lower cost) tiers
      • optional Archive Access (90-730 days) and Deep Archive Access (180-730 days) tiers can be enabled
      • 99.999999999% durability & 99.9% availability
      • ideal for data with unknown or changing access patterns
      • small monthly monitoring and automation charge per object; no retrieval charges
    • S3 Express One Zone
      • high-performance storage class launched in November 2023
      • delivers up to 10x better performance than S3 Standard with consistent single-digit millisecond latency
      • request costs up to 50% lower than S3 Standard
      • uses directory buckets (a new bucket type) stored in a single Availability Zone
      • supports up to 2 million requests per second per directory bucket
      • ideal for ML training, interactive analytics, financial modeling, and real-time advertising
      • allows co-locating storage and compute in the same AZ for optimal performance
    • S3 Standard-Infrequent Access (S3 Standard-IA)
      • optimized for long-lived and less frequently accessed data
      • designed to sustain the loss of data in two facilities
      • 99.999999999% durability & 99.9% availability
      • suitable for objects greater than 128 KB kept for at least 30 days
    • S3 One Zone-Infrequent Access (S3 One Zone-IA)
      • optimized for rapid access, less frequently accessed data
      • ideal for secondary backups and reproducible data
      • stores data in a single AZ, data stored in this storage class will be lost in the event of AZ destruction.
      • 99.999999999% durability & 99.5% availability
    • S3 Reduced Redundancy Storage (Not Recommended)
      • designed for noncritical, reproducible data stored at lower levels of redundancy than the STANDARD storage class
      • reduces storage costs
      • 99.99% durability & 99.99% availability
      • designed to sustain the loss of data in a single facility
    • S3 Glacier Instant Retrieval
      • lowest-cost storage for long-lived data that is rarely accessed but requires milliseconds retrieval
      • ideal for medical images, news media assets, or genomics data accessed once per quarter
      • 99.999999999% durability & 99.9% availability
      • Minimum storage duration of 90 days
      • up to 68% lower cost than S3 Standard-IA
    • S3 Glacier Flexible Retrieval (formerly S3 Glacier)
      • suitable for low cost data archiving, where data access is infrequent
      • provides retrieval time of minutes to hours
        • Expedited – 1 to 5 minutes
        • Standard – 3 to 5 hours
        • Bulk – 5 to 12 hours (free)
      • 99.999999999% durability & 99.9% availability
      • Minimum storage duration of 90 days
    • S3 Glacier Deep Archive
      • provides lowest cost data archiving, where data access is infrequent
      • 99.999999999% durability & 99.9% availability
      • provides retrieval time of several (12-48) hours
        • Standard – 12 hours
        • Bulk – 48 hours
      • Minimum storage duration of 180 days
      • supports long-term retention and digital preservation for data that may be accessed once or twice a year
  • Lifecycle Management policies
    • transition to move objects to different storage classes and Glacier
    • expiration to remove objects and object versions
    • can be applied to both current and non-current objects, in case, versioning is enabled.
  • Data Consistency Model
    • provides strong read-after-write consistency for PUT and DELETE requests of objects in the S3 bucket in all AWS Regions
    • updates to a single key are atomic
  • S3 Security
    • IAM policies – grant users within your own AWS account permission to access S3 resources
    • Bucket and Object ACL – grant other AWS accounts (not specific users) access to S3 resources
    • Bucket policies – allows to add or deny permissions across some or all of the objects within a single bucket
    • S3 Access Points simplify data access for any AWS service or customer application that stores data in S3.
    • S3 Glacier Vault Lock helps deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy.
    • S3 VPC Gateway Endpoint enables private connections between a VPC and S3, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
    • Support SSL encryption of data in transit and data encryption at rest
    • S3 Block Public Access – provides settings to block public access at the account and bucket level (enabled by default on new buckets)
    • SSE-C disabled by default – as of April 2026, Server-Side Encryption with Customer-Provided Keys (SSE-C) is disabled by default on all new general purpose buckets for enhanced security
  • S3 Data Encryption
    • supports data at rest and data in transit encryption
    • All new objects are encrypted by default with SSE-S3 (Amazon S3-managed keys)
    • Server-Side Encryption
      • SSE-S3 – encrypts S3 objects using keys handled & managed by AWS (default)
      • SSE-KMS – leverage AWS Key Management Service to manage encryption keys. KMS provides control and audit trail over the keys.
      • SSE-C – when you want to manage your own encryption keys. AWS does not store the encryption key. Requires HTTPS. Disabled by default on new buckets since April 2026.
      • DSSE-KMS – Dual-layer Server-Side Encryption with KMS keys, provides two layers of encryption for compliance requirements
    • Client-Side Encryption
      • Client library such as the S3 Encryption Client
      • Clients must encrypt data themselves before sending it to S3
      • Clients must decrypt data themselves when retrieving from S3
      • Customer fully manages the keys and encryption cycle
  • S3 Best Practices
    • use parallel threads and Multipart upload for faster writes
    • use parallel threads and Range Header GET for faster reads
    • for list operations with a large number of objects, it’s better to build a secondary index in DynamoDB
    • use Versioning to protect from unintended overwrites and deletions, but this does not protect against bucket deletion
    • use VPC S3 Endpoints with VPC to transfer data using Amazon internal network
    • use S3 Object Lock for WORM compliance and ransomware protection

S3 Bucket Types

  • General Purpose Buckets – traditional S3 buckets for most workloads with flat storage namespace
  • Directory Buckets – used with S3 Express One Zone storage class, organized with a hierarchical directory structure for low-latency workloads
  • Table Buckets – purpose-built for storing tabular data in Apache Iceberg format (launched December 2024), with automatic compaction, snapshot management, and garbage collection
  • Vector Buckets – optimized for durable, low-cost vector storage for AI embeddings (GA December 2025), supports up to 2 billion vectors per index with dedicated APIs for storing, accessing, and querying vectors

S3 Files (2026)

  • provides fully-featured, high-performance NFS file system access to S3 data
  • first cloud object store to provide full file system semantics without data ever leaving S3
  • enables accessing S3 objects using file-based protocols for applications requiring file system interfaces

Instance Store

  • provides temporary or ephemeral block-level storage for an EC2 instance
  • is physically attached to the Instance
  • deliver very high random I/O performance, which is a good option when storage with very low latency is needed
  • cannot be dynamically resized
  • data persists when an instance is rebooted
  • data does not persist if the
    • underlying disk drive fails
    • instance stops i.e. if the EBS backed instance with instance store volumes attached is stopped
    • instance terminates
  • can be attached to an EC2 instance only when the instance is launched
  • is ideal for the temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.

Elastic Block Store – EBS

  • is virtual network-attached block storage
  • provides highly available, reliable, durable, block-level storage volumes that can be attached to a running instance
  • provides high durability and are redundant in an AZ, as the data is automatically replicated within that AZ to prevent data loss due to any single hardware component failure
  • persists and is independent of EC2 lifecycle
  • multiple volumes can be attached to a single EC2 instance
  • can be detached & attached to another EC2 instance in that same AZ only
  • volumes are Zonal i.e. created in a specific AZ and CAN’T span across AZs
  • snapshots
  • for making volume available to different AZ, create a snapshot of the volume and restore it to a new volume in any AZ within the region
  • for making the volume available to different Region, the snapshot of the volume can be copied to a different region and restored as a volume
  • Multi-Attach enables attaching a single Provisioned IOPS SSD (io1 or io2) volume to multiple instances that are in the same AZ.
  • EBS Volume Types:
    • General Purpose SSD (gp3) – default and recommended for most workloads
      • baseline 3,000 IOPS and 125 MiB/s throughput included (independent of volume size)
      • as of September 2025, supports up to 64 TiB (4x previous 16 TiB), 80,000 IOPS (5x previous 16,000), and 2,000 MiB/s throughput (2x previous 1,000 MiB/s)
      • 99.9% durability
      • 20% lower cost than gp2 with ability to independently provision IOPS and throughput
    • General Purpose SSD (gp2) – legacy, still supported
      • IOPS scales with volume size (3 IOPS per GiB), up to 16,000 IOPS
      • suitable for boot volumes, dev/test environments
      • recommended to migrate to gp3 for cost savings
    • Provisioned IOPS SSD (io2 Block Express) – highest performance
      • up to 256,000 IOPS, 4,000 MiB/s throughput, 64 TiB volume size
      • 99.999% durability (100x higher than io1)
      • sub-millisecond latency
      • 1,000 IOPS per GiB ratio (20x higher than io1)
      • supports Multi-Attach
      • same price as io1, recommended as replacement
      • available in all commercial and GovCloud regions (2025)
    • Provisioned IOPS SSD (io1) – legacy, being superseded by io2
      • up to 64,000 IOPS, 50 IOPS per GiB
      • 99.9% durability
      • recommended to upgrade to io2 Block Express for better performance at same cost
    • Throughput Optimized HDD (st1)
      • low-cost HDD for frequently accessed, throughput-intensive workloads
      • big data, data warehouses, log processing
      • max throughput 500 MiB/s, max IOPS 500
      • cannot be a boot volume
    • Cold HDD (sc1)
      • lowest cost HDD for less frequently accessed workloads
      • max throughput 250 MiB/s, max IOPS 250
      • cannot be a boot volume

EBS Encryption

  • allows encryption using the EBS encryption feature.
  • All data stored at rest, disk I/O, and snapshots created from the volume are encrypted.
  • uses 256-bit AES algorithms (AES-256) and an Amazon-managed KMS
  • Snapshots of encrypted EBS volumes are automatically encrypted.
  • EBS encryption by default can be enabled at the account level for all new volumes

EBS Snapshots

  • helps create backups of EBS volumes
  • are incremental
  • occur asynchronously
  • are regional and CANNOT span across regions
  • can be copied across regions to make it easier to leverage multiple regions for geographical expansion, data center migration, and disaster recovery
  • can be shared by making them public or with specific AWS accounts by modifying the access permissions of the snapshots
  • support EBS encryption
    • Snapshots of encrypted volumes are automatically encrypted
    • Volumes created from encrypted snapshots are automatically encrypted
    • All data in flight between the instance and the volume is encrypted
    • Volumes created from an unencrypted snapshot owned or have access to can be encrypted on the fly.
    • Encrypted snapshot owned or having access to, can be encrypted with a different key during the copy process.
  • can be automated using AWS Data Lifecycle Manager (DLM)
  • EBS Snapshots Archive – move rarely-accessed snapshots to a low-cost archive tier (up to 75% cheaper), with retrieval taking 24-72 hours
  • Recycle Bin – protects against accidental deletion by retaining deleted snapshots for a configurable retention period

EBS vs Instance Store

Refer blog post @ EBS vs Instance Store

EFS

  • fully-managed, easy to set up, scale, and cost-optimize file storage
  • can automatically scale from gigabytes to petabytes of data without needing to provision storage
  • provides managed NFS (network file system) that can be mounted on and accessed by multiple EC2 in multiple AZs simultaneously
  • highly durable, highly scalable and highly available.
    • stores data redundantly across multiple Availability Zones
    • grows and shrinks automatically as files are added and removed, so there is no need to manage storage procurement or provisioning.
  • uses the Network File System version 4 (NFS v4) protocol
  • is compatible with all Linux-based AMIs for EC2, POSIX file system (~Linux) that has a standard file API
  • does not support Windows AMI (use FSx for Windows instead)
  • offers the ability to encrypt data at rest using KMS and in transit.
  • can be accessed from on-premises using an AWS Direct Connect or AWS VPN connection between the on-premises datacenter and VPC.
  • can be accessed concurrently from servers in the on-premises datacenter as well as EC2 instances in the Amazon VPC
  • supports up to 10,000 access points per file system (10x increase from previous 1,000 limit, February 2025)
  • Performance
    • Elastic Throughput (recommended) – automatically scales throughput up or down based on workload
      • up to 60 GiB/s read and 10 GiB/s write throughput (October 2024 increase)
    • Provisioned Throughput – specify throughput independent of storage
    • Bursting Throughput – scales with file system size
    • supports up to 2.5 million read IOPS and 500,000 write IOPS per file system (November 2024, 10x increase)
  • Storage Classes
    • EFS Standard – for frequently accessed files, multi-AZ redundancy
    • EFS Standard-IA (Infrequent Access) – lower cost for infrequently accessed files, multi-AZ redundancy
    • EFS One Zone – single-AZ, lower cost for frequently accessed data
    • EFS One Zone-IA – single-AZ, lowest cost for infrequent access
    • Lifecycle Management automatically moves data between storage classes based on access patterns
  • EFS Replication – enables automatic replication of file systems to another AWS Region or within the same Region for disaster recovery
  • EFS is a shared POSIX system for Linux systems and does not work for Windows

Amazon FSx for Windows File Server

  • is a fully managed, highly reliable, and scalable Windows file system share drive
  • supports SMB protocol & Windows NTFS
  • supports Microsoft Active Directory integration, ACLs, user quotas
  • built on SSD, scale up to 10s of GB/s, millions of IOPS, 100s PB of data
  • is accessible from Windows, Linux, and MacOS compute instances
  • can be accessed from the on-premise infrastructure
  • can be configured to be Multi-AZ (high availability)
  • supports encryption of data at rest and in transit
  • provides data deduplication, which enables further cost optimization by removing redundant data.
  • data is backed-up daily to S3

Amazon FSx for Lustre

  • provides easy and cost effective way to launch and run the world’s most popular high-performance file system.
  • is a type of parallel distributed file system, for large-scale computing
  • Lustre is derived from “Linux” and “cluster”
  • Machine Learning, High Performance Computing (HPC) esp. Video Processing, Financial Modeling, Electronic Design Automation
  • scales up to 100s GB/s, millions of IOPS, sub-ms latencies
  • seamless integration with S3, it transparently presents S3 objects as files and allows you to write changed data back to S3.
  • can “read S3” as a file system (through FSx)
  • can write the output of the computations back to S3 (through FSx)
  • supports encryption of data at rest and in transit
  • can be used from on-premise servers

Amazon FSx for NetApp ONTAP

  • fully managed shared storage built on NetApp’s popular ONTAP file system
  • supports NFS, SMB, and iSCSI protocols — accessible from Linux, Windows, and macOS
  • provides enterprise features: snapshots, cloning, replication, compression, deduplication, and tiering
  • supports Multi-AZ deployments for high availability
  • ideal for migrating on-premises NetApp/NAS workloads to AWS
  • second-generation file systems (July 2024) deliver up to 6 GBps throughput per HA pair
  • supports S3 Access Points (2025) — access file data through S3 APIs for AI/ML and analytics workloads without moving data
  • supports Autonomous Ransomware Protection (ARP) (April 2025) — detects unusual activity and generates automatic snapshots
  • can be accessed from on-premises via Direct Connect or VPN

Amazon FSx for OpenZFS

  • fully managed shared file storage built on the OpenZFS file system
  • supports NFS protocol (v3, v4, v4.1, v4.2)
  • delivers up to 1 million IOPS with sub-millisecond latencies
  • provides data management capabilities: snapshots, cloning, compression
  • ideal for migrating Linux-based file servers and applications to AWS
  • supports S3 Access Points (2025) — seamless access to file data through S3 APIs
  • accessible from Linux, Windows, and macOS compute instances

CloudFront

  • provides low latency and high data transfer speeds for distribution of static, dynamic web or streaming content to web users
  • delivers the content through a worldwide network of data centers called Edge Locations (700+ locations globally)
  • keeps persistent connections with the origin servers so that the files can be fetched from the origin servers as quickly as possible.
  • dramatically reduces the number of network hops that users’ requests must pass through
  • supports multiple origin server options, like AWS hosted service for e.g. S3, EC2, ELB or an on premise server, which stores the original, definitive version of the objects
  • single distribution can have multiple origins and Path pattern in a cache behavior determines which requests are routed to the origin
  • supports Web distribution for static, dynamic web content, on demand using progressive download & HLS and live streaming video content
    • RTMP Streaming distribution was deprecated and removed on December 31, 2020
  • supports HTTPS using either
    • dedicated IP address, which is expensive as dedicated IP address is assigned to each CloudFront edge location
    • Server Name Indication (SNI), which is free but supported by modern browsers only with the domain name available in the request header
  • For E2E HTTPS connection,
    • Viewers -> CloudFront needs either self signed certificate, or certificate issued by CA or ACM
    • CloudFront -> Origin needs certificate issued by ACM for ELB and by CA for other origins
  • Security
    • Origin Access Control (OAC) is the recommended method to restrict S3 origin access to CloudFront only. OAC supports SSE-KMS, all S3 bucket types, and dynamic requests (PUT/DELETE).
      • Origin Access Identity (OAI) is legacy — deprecated for new distributions as of March 2026. Migrate to OAC.
    • VPC Origins (November 2024) – enables CloudFront to connect directly to ALBs, NLBs, or EC2 instances in private subnets, making CloudFront the single point of entry without exposing origins to the internet
    • supports Geo restriction (Geo-Blocking) to whitelist or blacklist countries that can access the content
    • Signed URLs
      • to restrict access to individual files, for e.g., an installation download for your application.
      • users using a client, for e.g. a custom HTTP client, that doesn’t support cookies
    • Signed Cookies
      • provide access to multiple restricted files, for e.g., video part files in HLS format or all of the files in the subscribers’ area of a website.
      • don’t want to change the current URLs
    • integrates with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing rules configured based on IP addresses, HTTP headers, and custom URI strings
    • integrates with AWS Shield (Standard included free) for DDoS protection
  • Edge Compute
    • CloudFront Functions – lightweight functions executing at 700+ edge locations with sub-millisecond startup, for simple request/response manipulations (URL redirects, header manipulation, cache key normalization)
    • Lambda@Edge – runs at 13 Regional Edge Caches, supports longer execution (up to 30 seconds), network access, and larger packages for complex logic
    • CloudFront KeyValueStore (2023) – globally distributed low-latency data store for CloudFront Functions, enabling data lookups without network calls (A/B testing, feature flags, geo-routing)
    • Connection Functions (November 2025) – functions for mutual TLS (mTLS) viewer authentication
  • supports GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to get object & object headers, add, update, and delete objects
    • only caches responses to GET and HEAD requests and, optionally, OPTIONS requests
    • does not cache responses to PUT, POST, PATCH, DELETE request methods and these requests are proxied back to the origin
  • object removal from cache
    • would be removed upon expiry (TTL) from the cache, by default 24 hrs
    • can be invalidated explicitly, but has a cost associated, however might continue to see the old version until it expires from those caches
    • change object name, versioning, to serve different version
  • supports adding or modifying custom headers before the request is sent to origin which can be used to
    • validate if user is accessing the content from CDN
    • identifying CDN from which the request was forwarded from, in case of multiple CloudFront distribution
    • for viewers not supporting CORS to return the Access-Control-Allow-Origin header for every request
  • supports Partial GET requests using range header to download object in smaller units improving the efficiency of partial downloads and recovery from partially failed transfers
  • supports compression to compress and serve compressed files when viewer requests include Accept-Encoding: gzip in the request header
  • supports different price class to include all regions, to include only least expensive regions and other regions to exclude most expensive regions
  • CloudFront Pricing Plans (2025) – flat-rate plans (Free, Pro $15/mo, Business $200/mo, Premium $1000/mo) combining CDN, WAF, DDoS protection, bot management, Route 53, and S3 credits into predictable monthly pricing
  • Origin Shield – additional caching layer between edge locations and origin that reduces origin load and improves cache hit ratios
  • Continuous Deployment – enables safe deployment of CloudFront configuration changes using staging distributions for testing with a subset of traffic
  • supports access logs which contain detailed information about every user request

AWS Import/Export & Data Transfer

⚠️ AWS Import/Export Disk is a legacy service and has been superseded by the AWS Snow Family. AWS Snow Family devices (Snowball Edge) are no longer available to new customers as of November 7, 2025.

Alternatives for new customers:

  • AWS DataSync — for online data transfers
  • AWS Data Transfer Terminal — for secure physical transfers
  • AWS Partner solutions — for specialized migration needs
  • AWS Outposts — for edge computing needs

AWS Snow Family (Existing Customers Only)

  • physical devices for transferring large amounts of data into and out of AWS
  • Snowball Edge Storage Optimized – 80 TB usable storage, 40 vCPUs
  • Snowball Edge Compute Optimized – 28 TB usable storage, 104 vCPUs, optional GPU
  • suitable for large-scale data migrations, disaster recovery, and edge computing
  • supports S3-compatible storage and EC2 compute instances at the edge
  • No longer available to new customers as of November 7, 2025

AWS Data Transfer Terminal (2024)

  • secure, physical locations where customers bring their storage devices for high-speed data transfer to/from AWS
  • provides at least two 100 Gigabit Ethernet (100 GbE) ports per terminal
  • supports transfer to Amazon S3, EFS, and other AWS endpoints
  • available in multiple locations globally (US, Europe, etc.)
  • reservation-based model — book date and time through AWS Console
  • ideal replacement for Snow Family for physical data transfer use cases
  • charges based on number of ports used during reservation (per port-hour)

AWS DataSync

  • online data transfer service that simplifies, automates, and accelerates moving data between on-premises storage and AWS
  • supports transfer to/from S3, EFS, FSx, and between AWS storage services
  • automatically handles many transfer tasks: network optimization, data integrity validation, encryption
  • can transfer up to 10 Gbps over a Direct Connect link
  • recommended alternative to Snow Family for online transfers