iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon FSx for Windows File Server can be configured to deploy with high availability using Multi-AZ, which ensures that file system data is replicated across two Availability Zones. This configuration increases availability and resilience by protecting against zonal failures.

Rationale:

Configuring FSx Windows file systems with Multi-AZ ensures high availability, data durability, and protection against availability zone failure. It reduces the risk of downtime and ensures that critical file systems remain accessible in case of hardware or network issues in a single zone.

Impact:

• Positive Impact: Increased availability and fault tolerance, reducing the risk of service disruption.

• Negative Impact: There may be a slight increase in cost due to the deployment across multiple Availability Zones.

Default Value:

By default, FSx Windows file systems are created as single-AZ deployments. Multi-AZ configuration must be enabled at the time of creation or via a reconfiguration process.

Pre-Requisite:

• AWS Account Access: Ensure you have the necessary permissions to view and configure FSx Windows file systems.

• IAM Permissions: Permissions to modify or view FSx file system configurations.

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the Amazon FSx Console at https://console.aws.amazon.com/fsx/.

3. In the left panel, click File systems.

4. Select the FSx for Windows File Server file system you want to inspect.

5. In the General section, look for the Availability and durability settings.

   • If Multi-AZ is enabled, the file system is configured for high availability.

   • If Single-AZ is enabled, you must reconfigure the file system to Multi-AZ.   

6. To enable Multi-AZ, click Edit under the Availability and durability section and change the setting to Multi-AZ.

7. Save the changes.

Using AWS CLI:

1. Run the following command to describe the FSx file system and check if it is Multi-AZ enabled:

aws fsx describe-file-systems --file-system-id <fs-xxxxxx> --query 'FileSystems[*].WindowsFileSystem.WeeklyMaintenanceStartTime'

2. The command will return the configuration details for the file system, including whether Multi-AZ is enabled. If Multi-AZ is not enabled, you will need to modify the file system settings or create a new Multi-AZ file system.
   
   

3. To create a new FSx for Windows File Server with Multi-AZ enabled, run the following:

aws fsx create-file-system \
    --file-system-type WINDOWS \
    --subnet-id <subnet-id> \
    --multi-az \
    --storage-capacity <storage-capacity> \
    --windows-configuration ActiveDirectoryId=<ad-id>,SelfManagedActiveDirectoryConfiguration={DomainName=<domain-name>,UserName=<username>,Password=<password>}

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the Amazon FSx Console at https://console.aws.amazon.com/fsx/.

3. Select File systems from the left panel.

4. Choose the FSx for Windows file system you wish to configure.

5. Under General Settings, click Edit in the Availability and durability section.

6. Set Multi-AZ to Enabled and save the changes.

Using AWS CLI:

1. Run the following command to check if Multi-AZ is enabled:

aws fsx describe-file-systems --file-system-id <fs-xxxxxx> --query 'FileSystems[*].WindowsFileSystem.WeeklyMaintenanceStartTime'

2. If Multi-AZ is not enabled, create a new FSx Windows file system with Multi-AZ enabled:

aws fsx create-file-system \
    --file-system-type WINDOWS \
    --subnet-id <subnet-id> \
    --multi-az \
    --storage-capacity <storage-capacity> \
    --windows-configuration ActiveDirectoryId=<ad-id>,SelfManagedActiveDirectoryConfiguration={DomainName=<domain-name>,UserName=<username>,Password=<password>}

Backout Plan:

Using AWS Management Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon FSx > File Systems.

3. Select the file system configured with Multi-AZ.

4. Under the Settings section, locate the deployment type.

5. Change the deployment type from Multi-AZ to Single-AZ.

6. Save the changes to revert the configuration.

Using AWS CLI:

Retrieve the current configuration of the FSx file system:

aws fsx describe-file-systems --file-system-id <file-system-id>
Update the file system to revert to Single-AZ deployment:
aws fsx update-file-system \
--file-system-id <file-system-id> \
--deployment-type SINGLE_AZ

1. Verify the updated configuration:

   aws fsx describe-file-systems --file-system-id <file-system-id>

References:

• Amazon FSx Documentation

• AWS CLI FSx Commands

• FSx for Windows File Server Setup

CIS Controls Mapping: