Profile Applicability:

  • Level 1

Description:

Amazon Elastic File System (EFS) allows you to enable automatic backups using AWS Backup. Enabling backups ensures that your file system data is regularly backed up, helping in disaster recovery and accidental data deletion scenarios.

Automatic backups use AWS Backup to create and manage backups of your EFS file systems according to the defined backup plan.

Rationale:

Enabling backups on Amazon EFS provides:

  • Data Protection: Prevents data loss due to accidental deletions, corruption, or unauthorized changes.

  • Disaster Recovery: Facilitates quick recovery of data in the event of disasters.

  • Compliance: Meets data protection and retention requirements for standards like HIPAA, GDPR, and SOC2.

  • Cost Efficiency: AWS Backup offers granular control over backup frequency and retention, helping optimize costs.

Impact:

  • Pros:

    • Ensures data availability and resilience.

    • Simplifies data recovery processes.

    • Helps meet compliance and audit requirements.

  • Cons:

    • Additional costs for storage and backup operations.

    • Potential performance impact during backup operations (though generally minimal).

Default Value:

  • Automatic backups are disabled by default for Amazon EFS file systems.

Pre-Requisite:

  • IAM Permissions:

    • elasticfilesystem:DescribeFileSystems

    • backup:ListBackupPlans

    • backup:CreateBackupPlan

    • backup:StartBackupJob

  • AWS Backup Service: Ensure AWS Backup is set up in the region where the EFS file systems exist.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS) → File Systems.

                   

  1. Select each EFS file system to review.

                 

  1. In the General tab, check the Automatic backups setting.

    • Pass: If "Automatic backups" is set to Enabled.

    • Fail: If "Automatic backups" is set to Disabled.

                 

Repeat the process for all EFS file systems across regions.

Using AWS CLI:

List EFS File Systems:

aws efs describe-file-systems --region <region> --query 'FileSystems[*].[FileSystemId,Name]'


Check Backup Status:
For each file system, run:

 aws efs describe-backup-policy --file-system-id <efs-id> --region <region>
Expected Output (Pass):
 {
  "BackupPolicy": {
    "Status": "ENABLED"
  }
}
Fail Output:
 {
  "BackupPolicy": {
    "Status": "DISABLED"
  }
}

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to Amazon EFS → File Systems.

  3. Select the EFS file system you want to modify.

  4. Under the General section, locate Automatic backups.

  5. Click Edit next to the Automatic backups option.

                 

  1. Select Enabled.

                   

  1. Click Save Changes.

                   

Using AWS CLI:

Enable Backup Policy for EFS:

 aws efs put-backup-policy \
  --file-system-id <efs-id> \
  --backup-policy Status=ENABLED \
  --region <region>

Verify Backup Policy Is Enabled:

aws efs describe-backup-policy --file-system-id <efs-id> --region <region>

Backout Plan:

If enabling backups causes issues or was applied in error:

Using AWS Console:

  • Navigate to Amazon EFS → File Systems.

  • Select the file system.

  • Edit Automatic backups and set to Disabled.

Using AWS CLI:

 aws efs put-backup-policy \
  --file-system-id <efs-id> \
  --backup-policy Status=DISABLED \
  --region <region>

References:

  1. Amazon EFS Backup Documentation

  2. AWS Backup Documentation

  3. AWS CLI - EFS Backup Policy

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

11.4

Perform Automated Backups – Schedule regular backups of data.

v8

11.7

Ensure Data Recovery – Validate that backups can be restored successfully.

v7

10.5

Ensure Regular Backups – Ensure that critical data is backed up regularly.