Event Information

  • The DeleteFileSystem event in AWS for EFS refers to the action of deleting a file system in Amazon Elastic File System (EFS).
  • When this event occurs, it means that the specified EFS file system has been permanently removed from the AWS account.
  • This event can be triggered manually by an administrator or programmatically through API calls or automation scripts.

Examples

  • Unauthorized deletion of a file system: If security is impacted with DeleteFileSystem in AWS for EFS, it could potentially allow unauthorized individuals to delete critical file systems, leading to data loss and disruption of services. This could be due to misconfigured access controls or compromised credentials.
  • Data exposure: If security is impacted with DeleteFileSystem in AWS for EFS, it could result in the exposure of sensitive data stored within the file system. This could occur if the deletion process is not properly handled, allowing unauthorized access to the data before it is completely removed.
  • Service disruption: If security is impacted with DeleteFileSystem in AWS for EFS, it could lead to service disruption for applications or systems relying on the file system. This could occur if the deletion process is not properly managed, causing unintended consequences such as orphaned resources or broken dependencies.

Remediation

Using Console

  1. Enable encryption at rest for AWS EFS:

    • Open the AWS Management Console and navigate to the Amazon EFS service.
    • Select the EFS file system that needs to be remediated.
    • In the “Actions” dropdown menu, click on “Modify”.
    • Under the “Encryption at Rest” section, select the desired encryption option (AWS Key Management Service - KMS or AWS managed keys).
    • Click on “Save” to apply the encryption settings to the EFS file system.

  2. Enable VPC endpoint for AWS EFS:

    • Open the AWS Management Console and go to the Amazon VPC service.
    • Select the VPC in which the EFS file system is located.
    • Click on “Endpoints” in the left navigation pane.
    • Click on “Create Endpoint” and select “Amazon Elastic File System (EFS)” as the service category.
    • Choose the desired VPC, subnet, and security group for the endpoint.
    • Click on “Create Endpoint” to create the VPC endpoint for EFS.

  3. Enable access logging for AWS EFS:

    • Open the AWS Management Console and navigate to the Amazon EFS service.
    • Select the EFS file system that needs to have access logging enabled.
    • In the “Actions” dropdown menu, click on “Modify”.
    • Under the “Access Logging” section, select the desired logging settings (enable/disable logging, specify the target S3 bucket, and optional prefix).
    • Click on “Save” to enable access logging for the EFS file system.

Using CLI

To remediate the issues mentioned in the previous response for AWS EFS using AWS CLI, you can follow these steps:

  1. Enable encryption at rest for EFS:

    • Use the describe-file-systems command to get the details of the EFS file system: 
      aws efs describe-file-systems --file-system-id <file-system-id>
    • If encryption is not enabled, create a new EFS file system with encryption enabled using the create-file-system command: 
      aws efs create-file-system --encrypted --performance-mode generalPurpose
    • Migrate your data to the new encrypted EFS file system and update your applications to use the new file system.

  2. Enable VPC endpoint for EFS:

    • Use the describe-vpc-endpoints command to check if there is an existing VPC endpoint for EFS: 
      aws ec2 describe-vpc-endpoints --filters "Name=service-name,Values=com.amazonaws.<region>.elasticfilesystem" --query "VpcEndpoints[].VpcEndpointId"
    • If there is no VPC endpoint, create a new VPC endpoint for EFS using the create-vpc-endpoint command: 
      aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.elasticfilesystem --vpc-endpoint-type Gateway

  3. Enable VPC flow logs for EFS:

    • Use the describe-flow-logs command to check if there are existing VPC flow logs for the relevant VPC: 
      aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc-id>"
    • If there are no VPC flow logs, create a new flow log for the VPC using the create-flow-logs command: 
      aws ec2 create-flow-logs --resource-ids <vpc-id> --resource-type VPC --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name <log-group-name>

Note: Replace <file-system-id>, <vpc-id>, and <log-group-name> with the appropriate values specific to your AWS environment.

Using Python

To remediate the issues mentioned in the previous response for AWS EFS using Python, you can use the following approaches:

  1. Enable encryption at rest:

    • Use the AWS SDK for Python (Boto3) to create a new EFS file system with encryption enabled.
    • Set the Encrypted parameter to True while creating the file system.
    • Here’s an example Python script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.create_file_system(
    CreationToken='my-efs-encryption',
    Encrypted=True
)

print(response)

  2. Enable VPC endpoint access:

    • Use Boto3 to modify the EFS mount target security groups to allow access from the VPC endpoint.
    • Set the SecurityGroups parameter of the modify_mount_target_security_groups method to include the security group associated with the VPC endpoint.
    • Here’s an example Python script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.modify_mount_target_security_groups(
    MountTargetId='fsmt-12345678',
    SecurityGroups=['sg-12345678', 'sg-87654321']
)

print(response)

  3. Enable lifecycle management:

    • Use Boto3 to configure lifecycle management policies for your EFS file system.
    • Use the put_lifecycle_configuration method to define the lifecycle policy rules.
    • Here’s an example Python script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.put_lifecycle_configuration(
    FileSystemId='fs-12345678',
    LifecyclePolicies=[
        {
            'TransitionToIA': 'AFTER_30_DAYS',
            'TransitionToPrimaryStorageClass': 'AFTER_60_DAYS',
            'TransitionToGlacier': 'AFTER_90_DAYS'
        }
    ]
)

print(response)

Please note that you need to replace the placeholder values (e.g., file system ID, mount target ID, security group IDs) with the actual values from your AWS environment.