Enable Automatic Backups for Elastic File Systems

Risk Level: High (not acceptable risk)

Ensure that your Amazon EFS file systems are configured to take automatic daily backups for point-in-time recovery.

Reliability

Amazon EFS automatic backups can help you simplify the backup management of your EFS file systems, enable you to meet regulatory backup requirements, and allow you to handle efficiently your data restoration process in case of data corruption or data loss. Once automatic backups are enabled, Amazon EFS service will take a full snapshot of your file system data every day and keep the backups for a limited period of time that you configure, known as backup retention period. These automatic daily backups are stored in a default EFS backup vault which is created by the Amazon EFS service on your behalf.

Audit

To determine if your Amazon EFS file systems have automatic backups enabled, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.
In the main navigation panel, under Elastic File System, choose File systems.
Click on the name/ID (link) of the Amazon EFS file system that you want to examine.
In the General section, check the Automatic backups attribute value. If the Automatic backups value (status) is set to Disabled, automatic backups are not enabled for the selected Amazon EFS file system.
Repeat steps no. 4 and 5 for each Amazon EFS file system available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

Run describe-file-systems command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EFS file system provisioned in the selected AWS region:
```
aws efs describe-file-systems
  --region us-east-1
  --output table
  --query 'FileSystems[*].FileSystemId'
```

The command output should return a table with the requested file system ID(s):

--------------------------
|   DescribeFileSystems  |
+------------------------+
|  fs-0abcd1234abcd1234  |
|  fs-01234abcd1234abcd  |
+------------------------+

Run describe-backup-policy command (OSX/Linux/UNIX) using the ID of the EFS file system that you want to examine as the identifier and the custom query filters to describe the status of the backup policy configured for the selected file system:
```
aws efs describe-backup-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'BackupPolicy.Status'
```
The command output should return the requested backup policy status:
```
"DISABLED"
```
If the describe-backup-policy command output returns "DISABLED" as the status of the file system backup policy, as shown in the example above, the Automatic Backups feature is not enabled for the selected Amazon EFS file system.
Repeat steps no. 3 and 4 for each Amazon EFS file system available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable automatic backups for your existing Amazon EFS file systems, perform the following actions:

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Automatic Backups",
	"Resources": {
		"MountTargetVPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "172.16.0.0/16"
			}
		},
		"MountTargetSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"CidrBlock": "172.16.1.0/24",
				"VpcId": {
					"Ref": "MountTargetVPC"
				},
				"AvailabilityZone": "us-east-1a"
			}
		},
		"EFSFileSystem": {
			"Type": "AWS::EFS::FileSystem",
			"Properties": {
				"Encrypted": true,
				"PerformanceMode": "generalPurpose",
				"ThroughputMode": "bursting",
				"FileSystemPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": [
								"elasticfilesystem:ClientMount"
							],
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"
							}
						}
					]
				},
				"BackupPolicy": {
					"Status": "ENABLED"
				}
			}
		},
		"EFSMountTarget": {
			"Type": "AWS::EFS::MountTarget",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"SubnetId": {
					"Ref": "MountTargetSubnet"
				},
				"SecurityGroups": [
					{
						"Fn::GetAtt": [
							"MountTargetVPC",
							"DefaultSecurityGroup"
						]
					}
				]
			}
		},
		"EFSAccessPoint": {
			"Type": "AWS::EFS::AccessPoint",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"PosixUser": {
					"Uid": "13234",
					"Gid": "1322",
					"SecondaryGids": [
						"1344",
						"1452"
					]
				},
				"RootDirectory": {
					"CreationInfo": {
						"OwnerGid": "708798",
						"OwnerUid": "7987987",
						"Permissions": "0755"
					},
					"Path": "/web/production"
				}
			}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Automatic Backups
	Resources:
		MountTargetVPC:
		Type: AWS::EC2::VPC
		Properties:
			CidrBlock: 172.16.0.0/16
		MountTargetSubnet:
		Type: AWS::EC2::Subnet
		Properties:
			CidrBlock: 172.16.1.0/24
			VpcId: !Ref 'MountTargetVPC'
			AvailabilityZone: us-east-1a
		EFSFileSystem:
		Type: AWS::EFS::FileSystem
		Properties:
			Encrypted: true
			PerformanceMode: generalPurpose
			ThroughputMode: bursting
			FileSystemPolicy:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Action:
					- elasticfilesystem:ClientMount
				Principal:
					AWS: arn:aws:iam::123456789012:role/EFSReadOnlyRole
			BackupPolicy:
			Status: ENABLED
		EFSMountTarget:
		Type: AWS::EFS::MountTarget
		Properties:
			FileSystemId: !Ref 'EFSFileSystem'
			SubnetId: !Ref 'MountTargetSubnet'
			SecurityGroups:
			- !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
		EFSAccessPoint:
		Type: AWS::EFS::AccessPoint
		Properties:
			FileSystemId: !Ref 'EFSFileSystem'
			PosixUser:
			Uid: '13234'
			Gid: '1322'
			SecondaryGids:
				- '1344'
				- '1452'
			RootDirectory:
			CreationInfo:
				OwnerGid: '708798'
				OwnerUid: '7987987'
				Permissions: '0755'
			Path: /web/production

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_efs_file_system" "efs-file-system" {
	creation_token   = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
	performance_mode = "generalPurpose"
	throughput_mode  = "bursting"
	encrypted        = "true"
}

resource "aws_efs_file_system_policy" "file-system-policy" {
	file_system_id = aws_efs_file_system.efs-file-system.id
	policy = <<POLICY
{
	"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Action": [
					"elasticfilesystem:ClientMount"
				],
				"Principal": {"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"}
			}
		]
}
POLICY
}

resource "aws_efs_mount_target" "efs-mount-target" {
	file_system_id  = aws_efs_file_system.efs-file-system.id
	subnet_id       = "subnet-0abcd1234abcd1234"
	security_groups = ["sg-01234abcd1234abcd"]
}

resource "aws_efs_access_point" "efs-access-point" {
	file_system_id = aws_efs_file_system.efs-file-system.id
}

resource "aws_efs_backup_policy" "efs-backup-policy" {
	file_system_id = aws_efs_file_system.efs-file-system.id
	backup_policy {
	status = "ENABLED"
	}
}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.
In the main navigation panel, under Elastic File System, choose File systems.
Click on the name/ID (link) of the Amazon EFS file system that you want to reconfigure.
Choose Edit from the General section to modify the file system general settings.
Select the Enable automatic backups checkbox available under Automatic backups to enable the Automatic Backups feature for the selected Amazon EFS file system.
Choose Save changes to apply the configuration changes.
Repeat steps no. 4 – 7 for each Amazon EFS file system available in the selected AWS region.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

Run put-backup-policy command (OSX/Linux/UNIX) using the ID of the Amazon EFS file system that you want to reconfigure as the identifier parameter to enable automatic backups by updating the backup policy configured for the selected file system:
```
aws efs put-backup-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --backup-policy Status="ENABLED"
```
The command output should return the status of the updated EFS backup policy:
```
{
	"BackupPolicy": {
		"Status": "ENABLING"
	}
}
```
Run describe-backup-policy command (OSX/Linux/UNIX) to describe the current status of the EFS backup policy in order to ensure that automatic backups have been enabled for the selected file system:
```
aws efs describe-backup-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'BackupPolicy.Status'
```
The command output should return the requested status. If the status is set to "ENABLED", automatic backups have been enabled for the selected file system:
```
"ENABLED"
```
Repeat steps no. 1 – 4 for each Amazon EFS file system available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Amazon EFS FAQs
Backing up your Amazon EFS file systems
Getting started 4: Create Amazon EFS automatic backups
Managing Amazon EFS file systems

AWS Command Line Interface (CLI) Documentation
describe-file-systems
describe-file-system-policy
put-file-system-policy

Publication date Jan 17, 2024

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related EFS rules