AWS FSx Sufficient Backup Retention Period

Risk Level: Medium (should be achieved)

Ensure that your Amazon FSx for Windows File Server file systems have a minimum backup retention period set in order to fulfill your organization compliance requirements. The retention period represents the number of days to retain automatic backups. By default, FSx backups are retained for 7 days, however you can change this rate to any time period from 0 through 35 days. Prior to running this conformity rule by the Cloud Conformity engine you need to specify your own AWS FSx backup retention period in the rule settings.

Reliability

Having a minimum retention period set for Windows File Server file systems will enforce your FSx backup strategy to follow best practices and meet regulatory compliance. AWS FSx backups are file-system-consistent, highly durable and incremental, allowing you to quickly restore to any point within the backup retention period configured. Retaining Amazon FSx file system backups for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure.

Note 1: Setting the backup retention period to 0 days means that your file systems are never automatically backed up. Cloud Conformity strongly recommends that you use automatic backups for your FSx file systems, regardless of the level of critical functionality.
Note 2: As example, this conformity rule will use 14 days as the threshold for the sufficient backup retention period. However, you can adjust anytime the number of days (up to 35), to suit your organization requirements.

Audit

To determine if your Amazon FSx file systems have a sufficient backup retention period (≥ 14 days) set for automated backups, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon FSx service dashboard at https://console.aws.amazon.com/fsx/.

03 In the left navigation panel, under Amazon FSx, choose File systems to access the file systems available in the current region.

04 Click on the File system type column to group the existent file systems based on their type (Windows File Server or Lustre).

05 Choose the Windows File Server file system that you want to examine, click the Actions dropdown button from the dashboard top menu and select View details.

06 On the file system description page, select Backup & Maintenance tab, and check the Automatic backup retention period configuration attribute value to determine the number of days set to retain automated backups (if enabled). If the number of days configured as backup retention period is less than 14 days or less than the custom threshold value configured within your Cloud Conformity account, the selected Amazon FSx Windows File Server file system does not have a sufficient backup retention period configured.

07 Repeat step no. 5 and 6 to verify the automated backups retention period for other AWS FSx file systems available in the current region.

08 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) to list the IDs of the AWS FSx Windows File Server file systems available in the selected region:

aws fsx describe-file-systems
  --region us-east-1
  --query 'FileSystems[*].FileSystemId'

02 The command output should return an array with the requested file system IDs:

[
	"fx-0aabb1234ccdd1234",
	"fx-01234abcd1234abcd"
]

03 Execute again describe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as identifier and custom query filters to return the number of days to retain automatic backups for the selected Amazon FSx Windows File Server file system:

aws fsx describe-file-systems
  --region us-east-1
  --file-system-ids fx-0aabb1234ccdd1234
  --query 'FileSystems[*].WindowsConfiguration.AutomaticBackupRetentionDays'

04 The command output should return the requested value (integer):

[
	5
]

Check the number of days returned by the describe-file-systems command output. If the number returned for the backup retention period is less than 14 or less than the custom threshold value configured within your Cloud Conformity account, the selected Amazon FSx Windows File Server file system does not have a sufficient backup retention period configured.

05 Repeat steps no. 3 and 4 to determine the automated backups retention period for other AWS FSx file systems available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To update your Amazon FSx Windows File Server file systems configuration in order to set up a sufficient backup retention period, perform the following actions:

Note: Changing backup retention period for Windows File Server file systems using the AWS Management Console is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Sufficient Backup Retention Period",
	"Resources": {
		"FSxFileSystem": {
			"Type": "AWS::FSx::FileSystem",
			"Properties": {
				"FileSystemType": "WINDOWS",
				"StorageType": "SSD",
				"StorageCapacity": 1024,
				"SubnetIds": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"SecurityGroupIds": [
					"sg-0abcd1234abcd1234"
				],
				"WindowsConfiguration": {
					"DeploymentType": "MULTI_AZ_1",
					"PreferredSubnetId": "01234abcd1234abcd",
					"DailyAutomaticBackupStartTime": "02:00",
					"AutomaticBackupRetentionDays": 30
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Sufficient Backup Retention Period
	Resources:
	FSxFileSystem:
		Type: AWS::FSx::FileSystem
		Properties:
		FileSystemType: WINDOWS
		StorageType: SSD
		StorageCapacity: 1024
		SubnetIds:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
		SecurityGroupIds:
			- sg-0abcd1234abcd1234
		WindowsConfiguration:
			DeploymentType: MULTI_AZ_1
			PreferredSubnetId: '01234abcd1234abcd'
			DailyAutomaticBackupStartTime: '02:00'
			AutomaticBackupRetentionDays: 30

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_fsx_windows_file_system" "fsx-file-system" {
	deployment_type     = "MULTI_AZ_1"
	subnet_ids          = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
	storage_type        = "SSD"
	storage_capacity    = 1024
	throughput_capacity = 512
	security_group_ids  = ["sg-0abcd1234abcd1234"]

	# Sufficient Backup Retention Period
	automatic_backup_retention_days = 30
}

Using AWS CLI

01 Runupdate-file-system command (OSX/Linux/UNIX) using the ID of the Windows File Server file system that you want to reconfigure as identifier (see Audit section part II to identify the right resource) to update the backup retention period (in days) for the selected Amazon FSx file system:

aws fsx update-file-system
  --region us-east-1
  --file-system-id fx-0aabb1234ccdd1234
  --windows-configuration AutomaticBackupRetentionDays=14

02 The command output should return the reconfigured AWS FSx file system metadata:

{
	"FileSystems": [
		{
			"FileSystemId": "fx-0aabb1234ccdd1234",
			"FileSystemType": "WINDOWS"
			"VpcId": "vpc-abcd1234",

			...

			"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd"
			"Region": "us-east-1",
			"OwnerId": "123456789012",
		}
	]
}

03 Repeat step no. 1 and 2 to reconfigure the backup retention period for other Amazon FSx Windows File Server file systems available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the entire remediation/resolution process for other regions.

References

AWS Documentation
Amazon FSx for Windows File Server
Amazon FSx for Windows File Server FAQs
Using Backups
Walkthrough 3: Update an Existing File System

AWS Command Line Interface (CLI) Documentation
fsx
describe-file-systems
update-file-system

Publication date Mar 16, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS CLI

References

Related FSx rules