Profile Applicability:

  • Level 1

Description:

Amazon Elastic File System (EFS) is a fully managed, scalable file storage service that provides storage for use with Amazon EC2 instances and other AWS services. Multi-AZ support in Amazon EFS ensures high availability and durability by automatically replicating the data across multiple availability zones (AZs) within an AWS region. Enabling Multi-AZ for an EFS file system improves fault tolerance and minimizes the risk of data loss due to a single AZ failure.

This SOP ensures that Amazon EFS file systems are configured to use Multi-AZ by leveraging EFS’s regional replication to achieve high availability and reduce downtime.

Rationale:

  • High Availability: By enabling Multi-AZ support, EFS ensures that data is replicated across multiple availability zones. This improves availability and ensures that the file system is resilient to AZ-level failures.

  • Durability: Multi-AZ replication increases data durability by distributing data across multiple physical locations. This protects against localized failures in a single AZ.

  • Compliance: Many regulatory standards (e.g., PCI-DSS, SOC 2) require data to be highly available and resilient. Multi-AZ configurations help meet these compliance requirements.

Impact:

Pros:

  • Improved Availability: Multi-AZ configuration provides high availability by replicating data across multiple AZs. This reduces the chances of a single point of failure.

  • Data Durability: Data is automatically replicated across multiple AZs, ensuring protection against regional failures and improving overall durability.

  • Enhanced Fault Tolerance: EFS automatically recovers from AZ outages, ensuring that your workloads are resilient to failures in individual AZs.

Cons:

  • Cost: Multi-AZ replication incurs additional storage costs, as data is duplicated across multiple AZs.

  • Slight Latency: Although replication improves availability, it can introduce a slight latency in certain scenarios due to cross-AZ replication.

Default Value:

By default, Amazon EFS does not enable Multi-AZ support for all file systems. It must be explicitly configured during the file system creation process.

Pre-requisite:

  • AWS IAM Permissions:

    • efs:DescribeFileSystems

    • efs:CreateFileSystem

    • efs:UpdateFileSystem

  • AWS CLI installed and configured.

  • Amazon EFS file system must be created or ready to be created.

  • Multi-AZ Availability Zones in your AWS region should be available.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EFS under Services.

  3. Select the EFS file system you want to check.

  4. In the File System Details section, check the Availability Zones configuration. Ensure that the file system is multi-AZ.

    • If Multi-AZ is enabled, it should indicate “Multi-AZ” under the Availability Zone details.

    • If not enabled, there should be only one AZ listed for the file system.

Using AWS CLI:

To check if the file system is configured for Multi-AZ, run the following command:

 aws efs describe-file-systems --query "FileSystems[*].{FileSystemId:FileSystemId,AvailabilityZones:AvailabilityZones}"

Ensure that the AvailabilityZones list contains more than one AZ. A Multi-AZ configuration will have at least two AZs listed.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon EFS.

  2. Create a new EFS file system or update an existing file system.

    • When creating the file system, ensure that you select Multi-AZ option during the configuration.

  3. To enable Multi-AZ on an existing file system:

    • Navigate to EFS File Systems.

    • Select the file system to modify.

    • Under the Availability Zones section, enable Multi-AZ replication.

Review and save the configuration.

Using AWS CLI:

To create an EFS file system with Multi-AZ enabled, use the following command:

 aws efs create-file-system --performance-mode generalPurpose --availability-zone-ids <az-1-id> <az-2-id> --region <region>

To modify an existing file system to enable Multi-AZ, run:

 aws efs update-file-system --file-system-id <file-system-id> --availability-zone-ids <az-1-id> <az-2-id>

Verify the update by running the describe command:

 aws efs describe-file-systems --query "FileSystems[*].{FileSystemId:FileSystemId,AvailabilityZones:AvailabilityZones}"


Backout Plan:

If enabling Multi-AZ for the EFS file system causes issues:

  1. Identify the affected file system and check if there is any performance degradation or failure due to cross-AZ replication.

  2. Revert the configuration by disabling Multi-AZ (this may involve creating a new file system, as EFS currently does not support turning off Multi-AZ after creation):

    • Create a new file system with a single AZ configuration and migrate data.

  3. Monitor the file system to ensure that the setup is functioning properly and there are no disruptions.

Note :

  • Data Migration: If Multi-AZ is enabled after the file system is created, you may need to migrate the data to the new configuration. Ensure that data migration is handled efficiently to avoid downtime.

  • File System Backups: Before making any changes, ensure that backups of the file system are taken to prevent data loss during reconfiguration.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.