Rule: EFS file systems should be in a backup plan
Ensure EFS file systems are included in backup plans to mitigate risks.
| Rule | EFS file systems should be in a backup plan |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
EFS File System Backup Plan for FFIEC Compliance
Overview
The Federal Financial Institutions Examination Council (FFIEC) has guidelines that require financial institutions to have robust backup and disaster recovery plans in place. As part of these guidelines, Amazon Elastic File System (EFS) used by financial institutions should be regularly backed up to ensure data integrity and continuity of business operations in the event of data loss.
EFS Backup Rule Details
Criteria:
- 1.Regular Backups: EFS file systems must be backed up daily.
- 2.Retention Policy: Backup retention should comply with the regulatory data retention requirements, typically several years.
- 3.Encryption: Backups should be encrypted at rest using AWS Key Management Service (KMS).
- 4.Testing: Regular testing of backup restoration is mandatory to ensure backup reliability.
Troubleshooting Steps
Verifying Backup Plan Configurations:
- 1.Log in to the AWS Backup console.
- 2.Navigate to 'Backup plans'.
- 3.Review the backup plans to check if a plan covers all EFS file systems.
- 4.Check the schedule, retention policy, and encryption settings.
Investigating Backup Failures:
- 1.Navigate to 'Job console' within AWS Backup.
- 2.Look for any failed backup jobs.
- 3.Review job details for error messages and logs to identify the issue.
Common Problems:
- Incorrect IAM Roles: Ensure the backup plan has the necessary permissions.
- Network Issues: Verify the connectivity between EFS and the backup service.
- Encryption Key Access: Ensure that AWS Backup has access to the KMS key for encryption.
Necessary Automation Code
AWS CLI Commands
Create EFS Backup Plan
aws backup create-backup-plan --backup-plan '{ "BackupPlanName": "EFS-Backup-Plan", "Rules": [ { "RuleName": "DailyEFSBackupRule", "TargetBackupVaultName": "MyBackupVault", "ScheduleExpression": "cron(0 0 * * ? *)", "StartWindowMinutes": 60, "CompletionWindowMinutes": 10080, "Lifecycle": { "MoveToColdStorageAfterDays": 30, "DeleteAfterDays": 3650 }, "RecoveryPointTags": { "CreatedBy": "AWS Backup" } } ] }'
Assign Resources to the Backup Plan
aws backup create-backup-selection --backup-plan-id "<backup_plan_id>" --backup-selection '{ "SelectionName": "EFS-Backup-Selection", "IamRoleArn": "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole", "Resources": [ "arn:aws:elasticfilesystem:region:account-id:file-system/fs-id" ] }'
Replace
<backup_plan_id>regionaccount-idfs-idStep by Step Guide for Remediation
- 1.Navigate to the AWS Backup console.
- 2.Click 'Create a backup plan' and select a template or start with an empty plan.
- 3.Name your backup plan appropriately.
- 4.Design the plan with daily backups, set the retention period, and choose encryption with a suitable KMS key.
- 5.Assign the newly created backup plan to EFS file systems.
- 6.Make sure the IAM role ‘AWSBackupDefaultServiceRole’ has the proper permissions.
- 7.Monitor backups regularly and test restorations quarterly.
- 8.Make adjustments to your backup plan based on testing feedback and ongoing FFIEC guidelines.
By integrating these practices, financial institutions can ensure that their EFS file systems meet the FFIEC backup requirements while also optimizing their environment for better search engine visibility without compromising on conciseness and relevance.