feat(s3files): s3Files Lambda L1 integration

[vishaalmehrishi]

Reason for this change

S3Files is a new feature being developed with S3 and EFS to allow customer to access their S3 buckets as high performant file systems. This PE introduces the L1 generated constructs and adds an integration to the L2 Lambda constructs to allow it to be mounted by the Function.

Description of changes

L1 constructs generated via the added schemas in temporary-schema + a new function for Lambda.FileSystem:

FileSystem.fromS3FilesAccessPoint(ap: IAccessPointRef, mountPath: string): FileSystem

This function enables Lambda to mount an S3 Files file system. It uses AccessPointReflection to automatically
resolve the file system, mount targets, security groups, and IAM policies from the construct tree — so the
user only needs to pass the access point and mount path.

A new AccessPointReflection class in aws-s3files walks the construct tree to find:

• The CfnFileSystem associated with the access point
• All CfnMountTarget resources for that file system (added as DependsOn)
• Security groups from mount targets (wired into Connections for ingress)

Describe any new or updated permissions being added

Lambda gives itself permission to mount and write to the file system:

• s3files:ClientMount on the access point ARN
• s3files:ClientMount + s3files:ClientWrite on the file system ARN

Description of how you validated changes

Unit tests (11 passing): AccessPointReflection (10 tests including cross-stack, mixed token matching,
deduplication) + Lambda s3files integration (1 test).

Deployed to an account onboarded for the feature with:

const fileSystem = new s3files.CfnFileSystem(this, 'FileSystem', {
  bucket: bucket.bucketArn,
  roleArn: s3filesRole.roleArn,
});

vpc.privateSubnets.forEach((subnet, i) =>
  new s3files.CfnMountTarget(this, `MountTarget${i}`, {
    fileSystemId: fileSystem.attrFileSystemId,
    subnetId: subnet.subnetId,
    securityGroups: [sg.securityGroupId],
  }),
);

const accessPoint = new s3files.CfnAccessPoint(this, 'AccessPoint', {
  fileSystemId: fileSystem.ref,
  posixUser: { uid: '1000', gid: '1000' },
  rootDirectory: {
    path: '/lambda',
    creationInfo: { ownerUid: '1000', ownerGid: '1000', permissions: '755' },
  },
});

new lambda.Function(this, 'MyFunction', {
  runtime: lambda.Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: lambda.Code.fromAsset('lambda'),
  vpc,
  filesystem: lambda.FileSystem.fromS3FilesAccessPoint(accessPoint, '/mnt/s3files'),
});

Was able to invoke the lambda which writes a file to the fs. Verified the synthesized template includes
DependsOn for mount targets on the Lambda resource.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.