Event Information

  • The DeleteMountTarget event in AWS for EFS refers to the deletion of a mount target associated with an Amazon Elastic File System (EFS) instance.
  • When this event occurs, it means that the mount target, which provides network access to the EFS file system, has been removed.
  • This event can be triggered manually by an administrator or through an automated process, and it signifies the termination of the network connectivity between the EFS file system and the associated Amazon EC2 instances.

Examples

  • Unauthorized deletion of a mount target can lead to unauthorized access to the associated Amazon Elastic File System (EFS) file system. This can result in potential data breaches and unauthorized modifications to sensitive data.
  • Accidental deletion of a mount target can disrupt the availability of the EFS file system for applications and users relying on it. This can lead to service interruptions and impact business operations.
  • Deleting a mount target without proper planning and coordination can result in orphaned resources, such as security groups and network interfaces, which can create security vulnerabilities and increase the attack surface of the environment.

Remediation

Using Console

To remediate the issues mentioned in the previous response for AWS EFS using the AWS console, you can follow these step-by-step instructions:
  1. Enable encryption at rest for AWS EFS:
    • Open the AWS Management Console and navigate to the Amazon EFS service.
    • Select the EFS file system that needs to be encrypted.
    • Click on the “Actions” button and choose “Modify”.
    • Under the “Encryption at Rest” section, select the option to enable encryption.
    • Choose the appropriate AWS Key Management Service (KMS) key or create a new one.
    • Click on “Save” to apply the changes.
  2. Enable VPC endpoint for AWS EFS:
    • Open the AWS Management Console and go to the Amazon VPC service.
    • Select the VPC in which the EFS file system is located.
    • Click on “Endpoints” in the left navigation pane and then click on “Create Endpoint”.
    • Choose the service name as “com.amazonaws.<region>.elasticfilesystem” and select the appropriate VPC and subnets.
    • Configure the security groups and policies as per your requirements.
    • Click on “Create Endpoint” to create the VPC endpoint.
  3. Enable access logging for AWS EFS:
    • Open the AWS Management Console and navigate to the Amazon EFS service.
    • Select the EFS file system for which you want to enable access logging.
    • Click on the “Actions” button and choose “Modify”.
    • Under the “Access Logging” section, select the option to enable access logging.
    • Choose the appropriate Amazon CloudWatch log group or create a new one.
    • Click on “Save” to apply the changes.
These steps will help you remediate the mentioned issues for AWS EFS using the AWS console.

Using CLI

To remediate the issues mentioned in the previous response for AWS EFS using AWS CLI, you can follow these steps:
  1. Enable encryption at rest for EFS:
    • Use the describe-file-systems command to get the details of the EFS file system: 
      aws efs describe-file-systems --file-system-id <file-system-id>
    • If encryption is not enabled, use the update-file-system command to enable encryption at rest: 
      aws efs update-file-system --file-system-id <file-system-id> --encrypted
  2. Enable VPC endpoint for EFS:
    • Use the describe-vpc-endpoints command to check if there is an existing VPC endpoint for EFS: 
      aws ec2 describe-vpc-endpoints --filters "Name=service-name,Values=com.amazonaws.<region>.elasticfilesystem" --query "VpcEndpoints[*].{VpcEndpointId:VpcEndpointId}"
    • If no VPC endpoint exists, use the create-vpc-endpoint command to create a VPC endpoint for EFS: 
      aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.elasticfilesystem --subnet-ids <subnet-id-1> <subnet-id-2> --security-group-ids <security-group-id>
  3. Enable access logging for EFS:
    • Use the describe-file-systems command to get the details of the EFS file system: 
      aws efs describe-file-systems --file-system-id <file-system-id>
    • If access logging is not enabled, use the update-file-system command to enable access logging: 
      aws efs update-file-system --file-system-id <file-system-id> --logging-configuration '{"Enabled": true}'
Note: Replace <file-system-id>, <vpc-id>, <subnet-id-1>, <subnet-id-2>, and <security-group-id> with the actual values specific to your AWS environment.

Using Python

To remediate the issues mentioned in the previous response for AWS EFS using Python, you can use the following approaches:
  1. Enable encryption at rest:
    • Use the AWS SDK for Python (Boto3) to create a new EFS file system with encryption enabled.
    • Set the Encrypted parameter to True while creating the file system.
    • Here’s an example Python script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.create_file_system(
    CreationToken='my-efs-encryption',
    Encrypted=True
)

print(response)
  2. Enable VPC endpoint access:
    • Use Boto3 to modify the EFS mount target security groups to allow access from the VPC endpoint.
    • Set the SecurityGroups parameter of the modify_mount_target_security_groups method to include the security group associated with the VPC endpoint.
    • Here’s an example Python script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.modify_mount_target_security_groups(
    MountTargetId='fsmt-12345678',
    SecurityGroups=['sg-12345678', 'sg-87654321']
)

print(response)
  3. Enable lifecycle management:
    • Use Boto3 to configure lifecycle management policies for your EFS file system.
    • Use the put_lifecycle_configuration method to define the lifecycle policy rules.
    • Here’s an example Python script:
    import boto3

efs_client = boto3.client('efs')

response = efs_client.put_lifecycle_configuration(
    FileSystemId='fs-12345678',
    LifecyclePolicies=[
        {
            'TransitionToIA': 'AFTER_30_DAYS',
            'TransitionToPrimaryStorageClass': 'AFTER_60_DAYS',
            'TransitionToGlacier': 'AFTER_90_DAYS'
        }
    ]
)

print(response)
Please note that you need to replace the placeholder values (e.g., file system ID, mount target ID, security group IDs) with the actual values specific to your AWS environment.