Ensure Rule Compliance: EFS File Systems Backup Plan
Implement a backup plan to protect EFS file systems to meet Contingency Planning standards.
| Rule | EFS file systems should be protected by backup plan |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description
EFS (Elastic File System) file systems should have a backup plan in place to ensure the protection and availability of data. This rule is specifically for compliance with the FedRAMP (Federal Risk and Authorization Management Program) Low baseline, Revision 4.
Troubleshooting Steps (if applicable)
If backups for EFS file systems are not properly configured, there are several troubleshooting steps you can take to resolve the issue:
- 1.
Verify Permissions: Ensure that the IAM (Identity and Access Management) policies associated with the EFS file system allow for backup operations. Check if the necessary permissions, such as "elasticfilesystem:CreateBackup" and "elasticfilesystem:DescribeFileSystems", are granted to the appropriate IAM roles or users.
- 2.
Review Backup Configurations: Check the configuration settings for EFS backups. Ensure that the automatic backup feature is enabled and that the backup retention period meets the necessary requirements. Also, verify that backups are being stored in a secure location, such as an AWS S3 bucket with proper access controls.
- 3.
Check Backup Status: Review the backup status of the EFS file system to determine if any backups have failed or are not being performed at the expected frequency. Use the AWS Management Console, AWS CLI (Command Line Interface), or AWS SDK (Software Development Kit) to query the backup status.
- 4.
Verify Logging: Enable CloudTrail logging to monitor EFS backup-related API calls and activities. Check the CloudTrail logs to identify any potential issues or errors in the backup process.
Necessary Codes (if applicable)
No specific codes are provided for this rule. However, the AWS CLI commands can be used to configure and monitor EFS backups. The following commands can be helpful:
- 1.
To enable automatic backups for an EFS file system:
aws efs put-backup-policy --file-system-id <file-system-id> --backup-policy '{"Status": "ENABLED"}' - 2.
To configure the backup retention period for an EFS file system:
aws efs put-lifecycle-configuration --file-system-id <file-system-id> --lifecycle-policies '[{"TransitionToIA" : "AFTER_30_DAYS"}]' - 3.
To list the available backups for an EFS file system:
aws efs describe-backups --file-system-id <file-system-id>
Step-by-step Guide for Remediation
Follow these steps to remediate the EFS backup plan rule non-compliance:
- 1.
Identify the EFS file systems that are not protected by a backup plan. You can obtain this information by checking the compliance reports or by using the AWS Management Console or AWS CLI.
- 2.
For each identified EFS file system, ensure that the necessary permissions are granted to the IAM roles or users responsible for backup operations. Confirm that the policies include the required permissions for EFS backup-related actions.
- 3.
Enable automatic backups for the EFS file systems by executing the following AWS CLI command:
aws efs put-backup-policy --file-system-id <file-system-id> --backup-policy '{"Status": "ENABLED"}'Replace
with the actual ID of the EFS file system.<file-system-id> - 4.
Configure the backup retention period for the EFS file systems. Use the AWS CLI command:
aws efs put-lifecycle-configuration --file-system-id <file-system-id> --lifecycle-policies '[{"TransitionToIA" : "AFTER_30_DAYS"}]'Replace
with the appropriate ID.<file-system-id> - 5.
Verify that the EFS file systems now have backups enabled with the desired retention period. Check the backup status using the AWS CLI command:
aws efs describe-backups --file-system-id <file-system-id>Replace
with the correct ID of the EFS file system.<file-system-id> - 6.
Monitor the backups regularly to ensure they are being performed as expected. Consider setting up automated monitoring or notifications to detect and address any backup failures or issues.
By following these steps, you can ensure that EFS file systems comply with the requirement of having a backup plan in place, as stipulated by the FedRAMP Low baseline, Revision 4.