Event Information

  • The CreateFileSystem event in AWS for EFS refers to the action of creating a new file system in Amazon Elastic File System (EFS).
  • When this event occurs, it indicates that a new EFS file system has been successfully created and is ready to be used.
  • This event is important as it allows users to track and monitor the creation of EFS file systems, enabling them to ensure the successful provisioning of storage resources for their applications and data.

Examples

  • Lack of proper access controls: If the CreateFileSystem operation in AWS Elastic File System (EFS) is not configured with appropriate access controls, it can lead to security issues. For example, if the file system is created with overly permissive permissions, unauthorized users or applications may be able to access sensitive data stored in the file system.
  • Inadequate encryption: If encryption is not enabled or properly configured during the creation of the EFS file system, it can result in data exposure. For instance, if the file system is created without enabling encryption at rest, the data stored in the file system may be vulnerable to unauthorized access or tampering.
  • Weak network security: If the EFS file system is created without considering network security, it can pose a security risk. For example, if the file system is created without configuring appropriate security groups or network ACLs, it may be accessible from unauthorized networks or IP addresses, potentially exposing sensitive data to malicious actors.

Remediation

Using Console

  1. Enable encryption at rest for AWS EFS:
    • Open the AWS Management Console and navigate to the Amazon EFS service.
    • Select the EFS file system that needs to be remediated.
    • In the “Actions” dropdown menu, click on “Modify”.
    • Under the “Encryption at Rest” section, select the desired encryption option (AWS Key Management Service - KMS or AWS managed keys).
    • Click on “Save” to apply the encryption settings to the EFS file system.
  2. Enable VPC endpoint for AWS EFS:
    • Open the AWS Management Console and go to the Amazon VPC service.
    • Select the VPC in which the EFS file system is located.
    • Click on “Endpoints” in the left navigation pane.
    • Click on “Create Endpoint” and select “Amazon Elastic File System (EFS)” as the service category.
    • Choose the desired VPC, subnet, and security group for the endpoint.
    • Click on “Create Endpoint” to create the VPC endpoint for EFS.
  3. Enable access logging for AWS EFS:
    • Open the AWS Management Console and navigate to the Amazon EFS service.
    • Select the EFS file system that needs to have access logging enabled.
    • In the “Actions” dropdown menu, click on “Modify”.
    • Under the “Access Logging” section, select the desired logging settings (enable/disable logging, specify the target S3 bucket, and optional prefix).
    • Click on “Save” to enable access logging for the EFS file system.

Using CLI

To remediate the issues mentioned in the previous response for AWS EFS using AWS CLI, you can follow these steps:
  1. Enable encryption at rest for EFS:
    • Use the describe-file-systems command to get the details of the EFS file system: 
      aws efs describe-file-systems --file-system-id <file-system-id>
    • If encryption is not enabled, create a new EFS file system with encryption enabled using the create-file-system command: 
      aws efs create-file-system --encrypted --performance-mode generalPurpose
    • Migrate your data to the new encrypted EFS file system and update your applications to use the new file system.
  2. Enable VPC endpoint for EFS:
    • Use the describe-vpc-endpoints command to check if there is an existing VPC endpoint for EFS: 
      aws ec2 describe-vpc-endpoints --filters "Name=service-name,Values=com.amazonaws.<region>.elasticfilesystem" --query "VpcEndpoints[].VpcEndpointId"
    • If there is no VPC endpoint, create a new VPC endpoint for EFS using the create-vpc-endpoint command: 
      aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.elasticfilesystem --vpc-endpoint-type Gateway
  3. Enable VPC flow logs for EFS:
    • Use the describe-flow-logs command to check if there are existing VPC flow logs for the VPC: 
      aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc-id>"
    • If there are no VPC flow logs, create a new flow log for the VPC using the create-flow-logs command: 
      aws ec2 create-flow-logs --resource-ids <vpc-id> --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name <log-group-name>
Note: Replace <file-system-id>, <vpc-id>, and <log-group-name> with the appropriate values specific to your AWS environment.

Using Python

To remediate the issues mentioned in the previous response for AWS EFS using Python, you can use the following approaches:
  1. Enable encryption at rest:
    • Use the AWS SDK for Python (Boto3) to create a new EFS file system with encryption enabled.
    • Set the Encrypted parameter to True while creating the file system.
    • Here’s an example script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.create_file_system(
    CreationToken='your-unique-token',
    PerformanceMode='generalPurpose',
    Encrypted=True
)

print(response)
  2. Enable VPC endpoint access:
    • Use Boto3 to modify the EFS mount target security groups to allow access from the VPC endpoint.
    • Set the SecurityGroups parameter of the modify_mount_target_security_groups method to include the security group associated with the VPC endpoint.
    • Here’s an example script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.modify_mount_target_security_groups(
    MountTargetId='your-mount-target-id',
    SecurityGroups=['your-security-group-id']
)

print(response)
  3. Enable access logging:
    • Use Boto3 to enable access logging for the EFS file system.
    • Set the LoggingConfiguration parameter of the update_file_system method to specify the desired logging settings.
    • Here’s an example script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.update_file_system(
    FileSystemId='your-file-system-id',
    LoggingConfiguration={
        'Enabled': True,
        'FileAccessLogDestination': 'your-log-destination',
        'FileAccessLogFormat': 'your-log-format'
    }
)

print(response)
Please note that you need to replace the placeholders (your-unique-token, your-mount-target-id, your-security-group-id, your-file-system-id, your-log-destination, your-log-format) with the actual values specific to your AWS environment.