Rule: EFS File Systems Should Be Protected by Backup Plan
This rule ensures that EFS file systems are safeguarded with a backup plan in place.
| Rule | EFS file systems should be protected by backup plan |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Ensuring EFS File Systems are Protected by Backup Plan for CISA Cyber Essentials
Elastic File System (EFS) is a cloud storage service provided by AWS, designed to provide scalable, elastic, cloud-native storage for use with AWS services. Backing up your data is essential according to the CISA Cyber Essentials, as it ensures that you can recover your data in the event of deletion, corruption, or in the face of a cyberattack. Here's a comprehensive guide to implementing a backup plan for EFS in compliance with the CISA Cyber Essentials.
AWS Backup Service
AWS Backup is a centralized service that allows you to manage backups across AWS services. To adhere to CISA Cyber Essentials guidelines, you should use AWS Backup to automate and manage backups for EFS.
Creating a Backup Plan
Step 1: Set up Backup Vault
Before creating a backup plan, create a Backup Vault in AWS Backup. It's a secured place where backed-up data will be stored. Use the following CLI command to create a Backup Vault:
aws backup create-backup-vault --backup-vault-name YourBackupVaultName
Step 2: Define Backup Policy
Draft a backup policy that complies with the CISA Cyber Essentials guidelines. It should specify:
- The frequency of backups (daily, weekly, etc.)
- The retention period of backups
- The backup window during which the backups should occur
Step 3: Create the Backup Plan
Use the AWS Management Console or AWS CLI to create a backup plan:
aws backup create-backup-plan --backup-plan file://backup-plan.json
In the
backup-plan.jsonStep 4: Assign Resources
Specify the EFS file systems that need to be backed up by creating a resource assignment:
aws backup create-backup-selection --backup-plan-id <backup-plan-id> --resources file://resource-selection.json
Where
resource-selection.jsonStep 5: Monitor Backup Jobs
Regularly monitor backup jobs to ensure they are completing successfully and address any issues as they arise.
aws backup list-jobs --by-resource-id <file-system-id>
Troubleshooting Steps
If you encounter any issues with your backup jobs, consider the following steps:
1. Verify Backup Permissions
Ensure that the IAM role used for AWS Backup has the necessary permissions to access the EFS file systems and perform backup operations.
2. Check Resource Availability
Ensure there is no ongoing maintenance or issues with the EFS service that might prevent backups from completing.
3. Evaluate Backup Configuration
Review your backup plan and selection configurations to ensure there are no mistakes that might affect the backup process.
4. Check CloudTrail Logs
If backups are failing, AWS CloudTrail can provide detailed logs that might indicate the cause of the failure.
Remediation Steps
If you identify an issue with your backup processes, use the following remediation steps:
- 1.Correct IAM Role Permissions: Adjust the policy associated with the IAM role to include necessary permissions.
- 2.Re-evaluate Backup Plan: If there was an error in the plan or resource assignment, correct the JSON file and update the plan/selection using the update CLI commands.
- 3.Check AWS Service Health Dashboard: To monitor EFS operational status and take action if there are any disruptions.
Implementing a robust backup plan is crucial for compliance and resilience. Following these guidelines will help ensure that your EFS file systems are protected in accordance with the CISA Cyber Essentials—increasing the likelihood that you can swiftly recover from potential data loss incidents.