iCompaas Support

Profile Applicability:
 • Level 2

Description:

Amazon Elastic File System (EFS) provides scalable, elastic storage for use with Amazon EC2 instances and on-premises resources. EFS is designed to be highly available and durable, offering low-latency file access. Proper configuration of EFS is crucial for ensuring secure and efficient access to file data, with appropriate permission settings, encryption, and backups in place.

Rationale:

Amazon EFS allows you to mount scalable, managed file storage on multiple EC2 instances concurrently. Configuring EFS properly ensures that sensitive data is protected, access is controlled, and data is backed up appropriately. EFS encryption ensures that data is secure at rest and during transit, while access control ensures that only authorized users can interact with the file system.

Impact:

Pros:

• Provides scalable, highly available, and durable file storage
  

• Supports automatic scaling to handle workloads of various sizes
  

• Enables concurrent access from multiple EC2 instances
  

• Encryption ensures data security at rest and during transmission
  

• Allows for backup integration to preserve data integrity
  

Cons:

• Additional cost for using EFS compared to traditional local storage
  

• Requires proper configuration to avoid misconfigurations and ensure security
  

• Could lead to performance bottlenecks if not properly scaled or configured based on workload requirements
  

Default Value:

By default, Amazon EFS is not created, and encryption is not enabled unless specified during file system creation. Additionally, EFS does not have any access policies until configured.

Pre-requisites:

• IAM permissions to create and configure Amazon EFS resources
  

• EC2 instances or on-premises resources that require access to the file system
  

• Clear understanding of access control requirements and encryption settings
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to EFS > File Systems
   

3. Verify that an EFS file system exists and is correctly configured with the necessary encryption settings (e.g., encryption at rest and in transit)
   

4. Ensure that security groups, NFS access points, and access control settings are appropriately configured
   

5. Check that EFS file systems are properly mounted on the EC2 instances that need access
   

6. Review backup settings to ensure that data is regularly backed up using AWS Backup or other strategies
   

Using AWS CLI:

List all EFS file systems:

aws efs describe-file-systems

Describe a specific file system to check encryption and mount targets:

aws efs describe-file-systems --file-system-id <file-system-id>

Verify encryption settings:

aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[0].EncryptionInTransit"

Verify EFS mount targets and security group settings:

aws efs describe-mount-targets --file-system-id <file-system-id>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to EFS > File Systems
   

3. Click Create File System
   

4. Configure the following settings:
   

   • VPC: Select the VPC where your EC2 instances reside
     

   • Access Points: Configure NFS access points if required
     

   • Encryption: Enable encryption at rest and in transit for data security
     

   • Performance Mode: Choose the appropriate performance mode (General Purpose or Max I/O) based on your workload
     

   • Backup: Enable backups through AWS Backup or configure a custom backup solution
     

5. Click Create File System
   

6. Once the file system is created, configure the mount targets in the appropriate Availability Zones
   

7. Update the EC2 instances’ security groups to allow NFS traffic to the EFS mount targets
   

Using AWS CLI:

Create a new EFS file system with encryption enabled:

aws efs create-file-system \
  --creation-token <unique-token> \
  --performance-mode generalPurpose \
  --encrypted \
  --tags Key=Name,Value=MyEFS

Create a mount target for the EFS file system:

aws efs create-mount-target \
  --file-system-id <file-system-id> \
  --subnet-id <subnet-id> \
  --security-groups <security-group-id>

Verify encryption settings:

aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[0].EncryptionAtRest"

Attach the EFS file system to an EC2 instance:

sudo mount -t efs <file-system-id>:/ /mnt/efs

Backout Plan:

Using AWS Console:

1. Navigate to EFS > File Systems
   

2. Select the EFS file system to delete
   

3. Click Delete File System
   

4. Confirm that the file system, mount targets, and associated resources are removed
   

5. Recreate the file system and apply the correct settings if needed
   

Using AWS CLI:

Delete the EFS file system:

aws efs delete-file-system --file-system-id <file-system-id>

Verify that the file system and mount targets are deleted:

aws efs describe-file-systems --file-system-id <file-system-id>

References:

• Amazon EFS Documentation
  

• AWS CLI EFS Command Reference
  Best Practices for EFS Security