Rule: EFS File Systems in Backup Plan
Ensure that EFS file systems are included in the backup plan to maintain data integrity and security.
| Rule | EFS file systems should be in a backup plan |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
EFS File Systems Compliance with NIST Cybersecurity Framework
Description of the Rule
Amazon Elastic File System (EFS) offers a simple, serverless, set-and-forget, elastic file storage system. For maintaining compliance with the NIST Cybersecurity Framework (CSF), it is essential to ensure that all EFS file systems are included in a backup plan. The NIST CSF advises organizations to maintain the integrity, confidentiality, and availability of information, which includes regular backups of storage systems.
NIST CSF References for EFS Backup Plan:
Identify (ID): Develop an understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect (PR): Outline safeguards to ensure delivery of critical services.
Recover (RC): Create plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Troubleshooting Steps
In the event that an EFS file system is not being backed up, the following troubleshooting steps can be used:
- 1.
Verify Backup Plan Configuration: Confirm that the AWS Backup service includes all your EFS file systems within its scope.
- 2.
Check Backup Policies: Ensure that the backup policies are correctly configured with suitable backup frequency and retention settings.
- 3.
Review IAM Permissions: Validate that the necessary IAM permissions are in place for AWS Backup to access the EFS resources.
- 4.
Examine CloudWatch Logs: Review Amazon CloudWatch Logs for any errors reported during the backup process.
- 5.
Check Lifecycle Management: Verify that the lifecycle management settings on EFS are not prematurely deleting snapshots or backups.
If backups are failing or not occurring, it may be necessary to update backup plans or IAM policies, or troubleshoot network connectivity and permissions issues.
Necessary Codes and CLI Commands
Step 1: List all EFS File Systems
Use the AWS CLI to list all EFS file systems:
aws efs describe-file-systems --query 'FileSystems[*].FileSystemId' --output text
Step 2: Confirm Backup Plan Coverage
List all backup plans:
aws backup list-backup-plans --output text
Choose a backup plan ID and check if EFS file systems are included:
aws backup get-backup-plan --backup-plan-id <YOUR_BACKUP_PLAN_ID>
Step 3: Update Backup Plan
If any EFS file systems are missing from the backup plan, add them by updating the backup plan:
aws backup update-backup-plan --backup-plan-id <YOUR_BACKUP_PLAN_ID> --backup-plan <UPDATED_PLAN_JSON>
Replace
<UPDATED_PLAN_JSON>Step 4: Remediate Missing Backups
Create a backup on demand if one is missing:
aws backup start-backup-job --resource-arn <EFS_RESOURCE_ARN> --backup-vault-name <YOUR_BACKUP_VAULT> --iam-role-arn <YOUR_IAM_ROLE_ARN>
Step by Step Guide for Remediation
- 1.
Review Existing Backup Plans: Check current backup plans to assure coverage of all EFS file systems.
- 2.
Attach EFS to a Backup Plan: Either update existing backup plans or create a new backup plan to include all EFS file systems.
- 3.
Set Backup Frequency and Retention: Define a schedule and retention period that complies with NIST CSF standards.
- 4.
Assign IAM Roles and Policies: Apply the correct IAM permissions needed by AWS Backup to perform backup jobs.
- 5.
Test Backup Procedures: Manually initiate a backup job to validate that the backup process works as expected.
- 6.
Monitor Backup Activities: Regularly monitor via AWS Backup Dashboard or CloudWatch to validate ongoing backup operations.
- 7.
Review and Audit: Regularly audit your backup plan and settings to maintain compliance as part of your cybersecurity strategy.
Implementing these steps ensures that EFS file systems adhere to backup requirements specified by the NIST Cybersecurity Framework, enhancing the organization's resilience against data loss and system failures.