iCompaas Support

Profile Applicability:
 • Level 2

Description:

Amazon Elastic File System (EFS) provides scalable, fully managed file storage that can be accessed by EC2 instances. Ensuring proper implementation of EFS involves configuring it securely and efficiently, with considerations for encryption, access control, backups, and performance. This enables organizations to utilize shared file systems with high availability and scalability across multiple EC2 instances or on-premises resources.

Rationale:

EFS offers scalable, elastic storage with low-latency access. It enables shared access between multiple EC2 instances across Availability Zones, making it ideal for applications that require a common data source. Proper configuration ensures that EFS is used securely, with appropriate access controls, encryption, and performance tuning, contributing to both operational and security efficiency.

Impact:

Pros:

• Highly scalable and elastic storage, dynamically growing and shrinking based on demand
  

• Enables concurrent access from multiple EC2 instances, improving collaboration across distributed applications
  

• Encryption at rest and in transit ensures data security
  

• Integration with AWS Backup allows automated and reliable backup solutions
  

• Suitable for diverse workloads, including web applications, content management, and data analytics
  

Cons:

• Potential cost increase with large-scale storage and frequent access patterns
  

• Requires careful setup and maintenance of permissions, security groups, and access controls
  

• Misconfigured performance settings may lead to inefficiencies, such as unnecessary latency or high throughput
  

Default Value:

By default, EFS is not created and is not encrypted. It requires explicit creation and configuration for the desired performance mode, access points, and encryption settings.

Pre-requisites:

• IAM permissions to create and manage EFS file systems
  

• EC2 instances or on-premises resources that require access to the file system
  

• Established security groups and access control strategies
  

• Knowledge of the required performance mode and backup strategy for your workload
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to EFS > File Systems
   

3. Verify that an EFS file system has been created
   

4. Check that the appropriate mount targets have been configured for the relevant Availability Zones
   

5. Confirm that the performance mode (General Purpose or Max I/O) aligns with the application requirements
   

6. Ensure that encryption at rest and encryption in transit are enabled if needed for data protection
   

7. Review the access points and security groups to ensure proper access control
   

8. Verify that backup integration has been set up with AWS Backup or another backup solution
   

Using AWS CLI:

List all EFS file systems:

aws efs describe-file-systems

Describe a specific file system to verify settings such as encryption and performance mode:

aws efs describe-file-systems --file-system-id <file-system-id>

Verify the creation of mount targets:

aws efs describe-mount-targets --file-system-id <file-system-id>

Verify encryption settings:

aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[0].EncryptionAtRest"

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to EFS > File Systems
   

3. Click Create File System
   

4. Select the VPC where your EC2 instances reside
   

5. Configure Access Points if needed to facilitate access control
   

6. Enable Encryption at Rest and Encryption in Transit if required
   

7. Select the Performance Mode that best suits your workload:
   

   • General Purpose for most applications
     

   • Max I/O for high-performance, distributed applications
     

8. Click Create File System
   

9. After creation, configure mount targets in the relevant Availability Zones and attach the file system to EC2 instances
   

10. Set up backup integration to ensure data is regularly backed up using AWS Backup or another service
    

Using AWS CLI:

Create a new EFS file system with encryption and the General Purpose performance mode:

aws efs create-file-system \
  --creation-token <unique-token> \
  --performance-mode generalPurpose \
  --encrypted \
  --tags Key=Name,Value=MyEFS

Create a mount target for the file system:

aws efs create-mount-target \
  --file-system-id <file-system-id> \
  --subnet-id <subnet-id> \
  --security-groups <security-group-id>

Verify the file system's encryption status:

aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[0].EncryptionAtRest"

Attach the EFS file system to an EC2 instance:

sudo mount -t efs <file-system-id>:/ /mnt/efs

4. Enable automatic backups through AWS Backup or configure custom backup strategies.
   

Backout Plan:

Using AWS Console:

1. Navigate to EFS > File Systems
   

2. Select the file system to delete
   

3. Click Delete File System
   

4. Confirm the deletion of the file system, mount targets, and any backup configuration associated with it
   

5. Recreate the file system and apply the necessary settings if needed
   

Using AWS CLI:

Delete the EFS file system:

aws efs delete-file-system --file-system-id <file-system-id>

Verify that the file system and mount targets have been deleted:

aws efs describe-file-systems --file-system-id <file-system-id>

References:

• Amazon EFS Documentation
  

• AWS CLI EFS Command Reference
  

• EFS Best Practices