Profile Applicability:

  • Level 1

Description:

AWS Storage Gateway is a hybrid cloud storage service that enables on-premises applications to securely access cloud storage. To ensure high availability and data resilience, Storage Gateway deployments should be configured in a fault-tolerant environment. This involves ensuring that the gateway is hosted in multiple Availability Zones (AZs), or using the appropriate configuration to mitigate the risk of failure due to a single point of failure (SPOF). This SOP helps verify that AWS Storage Gateway is deployed in a fault-tolerant manner to ensure operational continuity.

Rationale:

  • High Availability: Ensuring that Storage Gateway is hosted in a fault-tolerant environment reduces the risk of service interruptions and enhances uptime for on-premises applications that rely on cloud storage.

  • Disaster Recovery: Hosting Storage Gateway in a multi-AZ environment ensures that even if one AZ experiences an outage, data access can continue from another AZ, providing a disaster recovery mechanism.

  • Operational Continuity: Fault-tolerant configurations ensure that your cloud storage remains available under various failure scenarios, ensuring business operations are not disrupted.

Impact:

Pros:

  • Enhanced Uptime: Reduces the likelihood of gateway downtime by deploying in a multi-AZ environment.

  • Increased Resilience: Data can be accessed from a backup Availability Zone in case of failure in the primary AZ.

  • Improved Business Continuity: Helps ensure continuous access to cloud storage even in the event of an AZ outage.

Cons:

  • Cost: Multi-AZ deployment configurations can lead to higher costs, as resources are duplicated across Availability Zones.

  • Complexity: Managing and monitoring a fault-tolerant configuration across multiple AZs requires additional operational oversight.

Default Value:

By default, AWS Storage Gateway can be deployed in a single AZ, but it is recommended to deploy it in a multi-AZ environment for fault tolerance and high availability.

Pre-requisite:

  • AWS IAM Permissions:

    • storagegateway:DescribeGateways

    • storagegateway:DescribeGatewayInformation

    • storagegateway:UpdateGatewayInformation

  • AWS CLI installed and configured.

  • Ensure that you have appropriate permissions to view and manage AWS Storage Gateway configurations.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Storage Gateway under Services.

  3. In the Storage Gateway Dashboard, select Gateways.

  4. Choose the gateway you want to check.

  5. Under Gateway Information, look for the Availability Zone configuration.

    • Ensure that the gateway is deployed in a multi-AZ configuration (if applicable).

    • Check if the gateway is deployed with a local disk that provides fault tolerance within a single AZ.

  6. If the gateway is deployed in only one Availability Zone (single AZ), consider deploying a secondary gateway or changing configurations to achieve fault tolerance.

Using AWS CLI:

  1. To check the fault-tolerance configuration of a Storage Gateway, run the following command:

    aws storagegateway describe-gateways --query 'Gateways[*].{GatewayId:GatewayId,AvailabilityZone:GatewayRegion}'

  2. Review the AvailabilityZone output:

  • If the gateway is deployed in only one AZ, it indicates that the gateway may not be fault-tolerant.

  • If the gateway spans multiple AZs, it is likely hosted in a fault-tolerant configuration.

  1. To modify the Storage Gateway to deploy in multiple AZs, follow the steps for multi-AZ deployment in the Implementation Steps.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Storage Gateway.

  2. In the Storage Gateway Dashboard, select Gateways and choose the gateway you want to check or modify.

  3. If the gateway is not in a fault-tolerant configuration:

    • Modify the gateway configuration to ensure it is deployed in multiple Availability Zones for high availability.

    • Alternatively, create an additional gateway in a different Availability Zone to achieve fault tolerance.

Using AWS CLI:

  1. To modify the Storage Gateway to use a multi-AZ configuration, you may need to create an additional gateway in another AZ or ensure the gateway is configured with fault tolerance.

  2. For example, creating a Storage Gateway in multiple Availability Zones may involve configuring additional resources or backups to provide high availability.

Backout Plan:

Using AWS Console:

  1. If configuring the gateway for fault tolerance causes issues, sign in to the AWS Management Console.

  2. Navigate to Storage Gateway, select the gateway, and check the configuration.

  3. Roll back the changes by reverting the deployment back to a single AZ (if possible) or adjusting the configuration to return to a non-fault-tolerant setup.

Using AWS CLI:

  1. To remove the multi-AZ configuration (if necessary), reconfigure the gateway to use a single AZ or rollback to previous settings using:

    aws storagegateway update-gateway-information --gateway-arn <GATEWAY_ARN> --new-gateway-type <SINGLE_AZ_TYPE>

  2. Verify that the gateway is no longer in a multi-AZ setup by describing the gateway information again:

    aws storagegateway describe-gateway-information --gateway-arn <GATEWAY_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.