Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Lifecycle Management for AWS EFS File Systems

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that your Amazon EFS file systems utilize Lifecycle Management to efficiently manage EFS data during its lifetime and reduce storage costs for infrequently accessed files. Lifecycle Management feature automatically moves your Amazon EFS files to the lower-cost Infrequent Access (IA) storage class based on a predefined lifecycle policy in order to implement cost-effective file storage management.

Cost
optimisation

The storage classes made available for AWS EFS file systems are Standard – a storage class that is used to store frequently accessed files and Infrequent Access (IA) – a lower cost storage class that is designed for storing infrequently accessed files in a cost-effective manner. The IA storage class reduces storage costs for files that are not repeatedly accessed, without altering the high availability, high durability, elasticity or POSIX file system access that AWS EFS service provides. With Lifecycle Management feature enabled, you can make use of EFS IA storage class for keeping you files accessible in order to satisfy audit requirements, perform historical analysis or backup and recovery, while lowering your EFS costs.


Audit

To determine if your AWS EFS file systems use Lifecycle Management, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

03 In the left navigation panel, select File Systems to access the list of EFS file systems available.

04 Click on the EFS file system that you want to examine to expand the panel with the file system configuration details.

05 On the selected file system configuration panel, within Other details section, check the Lifecycle policy attribute value. If the configuration attribute value is set to None, the selected Amazon EFS file system does not have a lifecycle policy currently attached, therefore the Lifecycle Management feature is not enabled.

06 Repeat step no. 4 and 5 to verify the Lifecycle Management status and configuration for other EFS file systems provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EFS file systems available within the selected AWS region:

aws efs describe-file-systems
	--region us-east-1
	--output table
	--query 'FileSystems[*].FileSystemId'

02 The command output should return a table with the requested file system IDs:

---------------------
|DescribeFileSystems|
+-------------------+
|   fs-1234abcd     |
|   fs-abcd1234     |
+-------------------+ 

03 Run describe-lifecycle-configuration command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as identifier and custom query filters to list the lifecycle management policies attached to the selected EFS file system:

aws efs describe-lifecycle-configuration
	--region us-east-1
	--file-system-id fs-1234abcd
	--query 'LifecyclePolicies'

04 The command output should return an array that contains the lifecycle management policies associated with the selected file system. Currently, AWS EFS supports a maximum of one policy per file system:

[]

If describe-lifecycle-configuration command output returns an empty array, as shown in the example above, the file system does not have any lifecycle policies configured, therefore the Lifecycle Management feature is not enabled for the selected Amazon EFS file system.

05 Repeat step no. 3 and 4 to verify the Lifecycle Management status and configuration for other EFS file systems provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable Lifecycle Management feature for your existing Amazon EFS file systems, perform the following steps:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

03 In the left navigation panel, select File Systems.

4 Click on the EFS file system that you want to reconfigure (see Audit section part I to identify the right resource) to expand the panel with the file system configuration details.

05 On the selected file system configuration panel, in the Other details section, click on the pencil (edit) button next to Lifecycle policy, to access the Lifecycle Management feature configuration.

06 Within Enable lifecycle management dialog box, select Enable Lifecycle Management checkbox and click Save to save the configuration changes and enable the feature. Once Lifecycle Management is enabled, the EFS service will attach the predefined lifecycle policy (i.e. "30 days since last access") to your file system.

07 Repeat steps no. 4 – 6 to enable Lifecycle Management for other Amazon EFS file systems provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run put-lifecycle-configuration command (OSX/Linux/UNIX) using the EFS file system that you want to reconfigure as identifier (see Audit section part II to identify the right resource), to enable the Lifecycle Management feature and attach the predefined EFS lifecycle policy (i.e. "30 days since last access") to the selected Amazon EFS file system:

aws efs put-lifecycle-configuration
	--region us-east-1
	--file-system-id fs-1234abcd
	--lifecycle-policies TransitionToIA="AFTER_30_DAYS"

02 The command output should return the lifecycle policy attached to the selected file system:

{
    "LifecyclePolicies": [
        {
            "TransitionToIA": "AFTER_30_DAYS"
        }
    ]
}

03 Repeat step no. 1 and 2 to enable Lifecycle Management for other Amazon EFS file systems available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

Publication date Mar 16, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Lifecycle Management for AWS EFS File Systems

Risk Level: Low