Enable Lifecycle Management for AWS EFS File Systems

Risk Level: Low (generally tolerable level of risk)

Ensure that your Amazon EFS file systems utilize Lifecycle Management to efficiently manage EFS data during its lifetime and reduce storage costs for infrequently accessed files. Lifecycle Management feature automatically moves your Amazon EFS files to the lower-cost Infrequent Access (IA) storage class based on a predefined lifecycle policy in order to implement cost-effective file storage management.

Cost
optimisation

The storage classes made available for EFS file systems are Standard – a storage class that is used to store frequently accessed files and Standard-Infrequent Access (IA) – a lower cost storage class that is designed for storing infrequently accessed files in a cost-effective manner. The IA storage class reduces storage costs for files that are not repeatedly accessed, without altering the high availability, high durability, elasticity or POSIX file system access that AWS EFS service provides. With Lifecycle Management feature enabled, you can make use of EFS IA storage class for keeping you files accessible in order to satisfy audit requirements, perform historical analysis or backup and recovery, while lowering your EFS costs.

Audit

To determine if your EFS file systems use Lifecycle Management configurations, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

03 In the main navigation panel, under Elastic File System, choose File systems.

04 Click on the name/ID (link) of the Amazon EFS file system that you want to examine.

05 In the General section, check the Lifecycle management attribute to determine the Lifecycle Management configuration used by the file system. If the Lifecycle management attribute has Transition into IA set to None, the selected Amazon EFS file system does not have a lifecycle policy configured, therefore the Lifecycle Management feature is not enabled for the EFS resource.

06 Repeat steps no. 4 and 5 for each Amazon EFS file system available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EFS file system provisioned in the selected AWS region:

aws efs describe-file-systems
  --region us-east-1
  --output table
  --query 'FileSystems[*].FileSystemId'

02 The command output should return a table with the requested file system ID(s):

--------------------------
|   DescribeFileSystems  |
+------------------------+
|  fs-0abcd1234abcd1234  |
|  fs-01234abcd1234abcd  |
+------------------------+

03 Run describe-lifecycle-configuration command (OSX/Linux/UNIX) using the ID of the Amazon EFS file system that you want to examine as the identifier parameter and custom query filters to list the lifecycle management policies attached to the selected file system:

aws efs describe-lifecycle-configuration
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'LifecyclePolicies'

04 The command output should return an array that contains the lifecycle management policies associated with the selected file system:

[]

If the describe-lifecycle-configuration command output returns an empty array (i.e. []), as shown in the example above, the file system does not have lifecycle policies configured, therefore the Lifecycle Management feature is not enabled for the selected Amazon EFS file system.

05 Repeat steps no. 3 and 4 for each Amazon EFS file system available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Lifecycle Management feature for your existing Amazon EFS file systems, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Lifecycle Management ",
	"Resources": {
		"MountTargetVPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "172.16.0.0/16"
			}
		},
		"MountTargetSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"CidrBlock": "172.16.1.0/24",
				"VpcId": {
					"Ref": "MountTargetVPC"
				},
				"AvailabilityZone": "us-east-1a"
			}
		},
		"EFSFileSystem": {
			"Type": "AWS::EFS::FileSystem",
			"Properties": {
				"Encrypted": true,
				"PerformanceMode": "generalPurpose",
				"ThroughputMode": "bursting",
				"FileSystemPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": [
								"elasticfilesystem:ClientMount"
							],
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"
							}
						}
					]
				},
				"LifecyclePolicies": [
					{
						"TransitionToIA": "AFTER_30_DAYS"
					}
				]
			}
		},
		"EFSMountTarget": {
			"Type": "AWS::EFS::MountTarget",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"SubnetId": {
					"Ref": "MountTargetSubnet"
				},
				"SecurityGroups": [
					{
						"Fn::GetAtt": [
							"MountTargetVPC",
							"DefaultSecurityGroup"
						]
					}
				]
			}
		},
		"EFSAccessPoint": {
			"Type": "AWS::EFS::AccessPoint",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"PosixUser": {
					"Uid": "13234",
					"Gid": "1322",
					"SecondaryGids": [
						"1344",
						"1452"
					]
				},
				"RootDirectory": {
					"CreationInfo": {
						"OwnerGid": "708798",
						"OwnerUid": "7987987",
						"Permissions": "0755"
					},
					"Path": "/web/production"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: 'Enable Lifecycle Management '
	Resources:
	MountTargetVPC:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 172.16.0.0/16
	MountTargetSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		CidrBlock: 172.16.1.0/24
		VpcId: !Ref 'MountTargetVPC'
		AvailabilityZone: us-east-1a
	EFSFileSystem:
		Type: AWS::EFS::FileSystem
		Properties:
		Encrypted: true
		PerformanceMode: generalPurpose
		ThroughputMode: bursting
		FileSystemPolicy:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Action:
				- elasticfilesystem:ClientMount
				Principal:
				AWS: arn:aws:iam::123456789012:role/EFSReadOnlyRole
		LifecyclePolicies:
			- TransitionToIA: AFTER_30_DAYS
	EFSMountTarget:
		Type: AWS::EFS::MountTarget
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		SubnetId: !Ref 'MountTargetSubnet'
		SecurityGroups:
			- !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
	EFSAccessPoint:
		Type: AWS::EFS::AccessPoint
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		PosixUser:
			Uid: '13234'
			Gid: '1322'
			SecondaryGids:
			- '1344'
			- '1452'
		RootDirectory:
			CreationInfo:
			OwnerGid: '708798'
			OwnerUid: '7987987'
			Permissions: '0755'
			Path: /web/production

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_efs_file_system" "efs-file-system" {

	creation_token   = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
	performance_mode = "generalPurpose"
	throughput_mode  = "bursting"
	encrypted        = "true"

	lifecycle_policy {
		transition_to_ia = "AFTER_30_DAYS"
	}

}

resource "aws_efs_file_system_policy" "file-system-policy" {
	file_system_id = aws_efs_file_system.efs-file-system.id
	policy = <<POLICY
	{
		"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Action": [
						"elasticfilesystem:ClientMount"
					],
					"Principal": {"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"}
				}
			]
	}
	POLICY
}

resource "aws_efs_mount_target" "efs-mount-target" {
	file_system_id  = aws_efs_file_system.efs-file-system.id
	subnet_id       = "subnet-0abcd1234abcd1234"
	security_groups = ["sg-01234abcd1234abcd"]
}

resource "aws_efs_access_point" "efs-access-point" {
	file_system_id = aws_efs_file_system.efs-file-system.id
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

03 In the main navigation panel, under Elastic File System, choose File systems.

04 Click on the name/ID (link) of the Amazon EFS file system that you want to reconfigure.

05 Choose Edit from the General section to modify the file system general settings.

06 For Lifecycle management, perform the following actions:

Select one of the predefined lifecycle policies (e.g. 30 day(s) since last access) from the Transition into IA dropdown list to configure Lifecycle Management to transition files from Standard to Standard-Infrequent Access.
Select On first access from the Transition out of IA dropdown list if you want the Lifecycle Management feature to transition files from Standard-Infrequent Access to Standard.

07 Choose Save changes to apply the configuration changes.

08 Repeat steps no. 4 – 6 for each Amazon EFS file system available in the selected AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run put-lifecycle-configuration command (OSX/Linux/UNIX) using the Amazon EFS file system that you want to reconfigure as identifier parameter, to enable the Lifecycle Management feature and attach a predefined lifecycle policy such as 30 day(s) since last access) to the selected file system:

aws efs put-lifecycle-configuration
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --lifecycle-policies TransitionToIA="AFTER_30_DAYS"

02 The command output should return the lifecycle policy attached to the selected EFS file system:

{
	"LifecyclePolicies": [
		{
			"TransitionToIA": "AFTER_30_DAYS"
		}
	]
}

03 Repeat steps no. 1 and 2 for each Amazon EFS file system available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
describe-file-systems
describe-lifecycle-configuration
put-lifecycle-configuration

Publication date Mar 16, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related EFS rules