EFS File System Has Backup Enabled

Overview

This check verifies that your Amazon Elastic File System (EFS) file systems have automatic backups enabled. AWS Backup provides a managed service that automatically backs up your EFS data on a schedule you define.

Risk

Without automatic backups, you have no safety net if something goes wrong. Data can be lost due to:

• Accidental file deletion by users or applications
• Ransomware or malicious attacks
• Configuration mistakes that corrupt data
• Application bugs that overwrite files

Once data is gone from an EFS file system without backups, there is no way to recover it. This can cause significant business disruption and permanent data loss.

Remediation Steps

Prerequisites

You need access to your AWS account with permissions to modify EFS file systems. Specifically, you need the elasticfilesystem:PutBackupPolicy permission.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeBackupPolicy",
        "elasticfilesystem:PutBackupPolicy"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to EFS (search for "EFS" in the search bar)
3. Click File systems in the left sidebar
4. Select the file system that needs backups enabled
5. Scroll down to the General section
6. Click the Edit button
7. Under Automatic backups, select Enable automatic backups
8. Click Save changes

That's it! AWS will now automatically back up your EFS file system daily.

AWS CLI (optional)

Enable Backup Using AWS CLI

First, identify your file system ID. You can list all EFS file systems:

aws efs describe-file-systems --region us-east-1

Then enable automatic backups:

aws efs put-backup-policy \
  --file-system-id fs-12345678 \
  --backup-policy Status=ENABLED \
  --region us-east-1

Replace fs-12345678 with your actual file system ID.

Verify the Change

aws efs describe-backup-policy \
  --file-system-id fs-12345678 \
  --region us-east-1

You should see "Status": "ENABLED" in the output.

Enable Backups on All EFS File Systems

To enable backups on all file systems in your account:

for fs_id in $(aws efs describe-file-systems --region us-east-1 --query 'FileSystems[*].FileSystemId' --output text); do
  echo "Enabling backup for $fs_id"
  aws efs put-backup-policy \
    --file-system-id "$fs_id" \
    --backup-policy Status=ENABLED \
    --region us-east-1
done

CloudFormation (optional)

CloudFormation Template

Use this template to create a new EFS file system with automatic backups enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: EFS file system with automatic backups enabled

Resources:
  EFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      BackupPolicy:
        Status: ENABLED
      Encrypted: true
      PerformanceMode: generalPurpose
      ThroughputMode: bursting
      FileSystemTags:
        - Key: Name
          Value: my-efs-with-backup

Outputs:
  FileSystemId:
    Description: The EFS file system ID
    Value: !Ref EFSFileSystem

Deploy the Template

aws cloudformation create-stack \
  --stack-name efs-with-backup \
  --template-body file://efs-backup.yaml \
  --region us-east-1

Update Existing File System

To update an existing EFS file system created via CloudFormation, add or modify the BackupPolicy property:

BackupPolicy:
  Status: ENABLED

Then update the stack:

aws cloudformation update-stack \
  --stack-name your-stack-name \
  --template-body file://updated-template.yaml \
  --region us-east-1

Terraform (optional)

Terraform Configuration

For a new EFS file system with backups enabled:

resource "aws_efs_file_system" "main" {
  creation_token = "my-efs-with-backup"
  encrypted      = true

  lifecycle_policy {
    transition_to_ia = "AFTER_30_DAYS"
  }

  tags = {
    Name = "my-efs-with-backup"
  }
}

resource "aws_efs_backup_policy" "main" {
  file_system_id = aws_efs_file_system.main.id

  backup_policy {
    status = "ENABLED"
  }
}

For Existing File Systems

If you have an existing EFS file system in Terraform without a backup policy, add the aws_efs_backup_policy resource:

resource "aws_efs_backup_policy" "existing" {
  file_system_id = aws_efs_file_system.existing.id

  backup_policy {
    status = "ENABLED"
  }
}

Apply the Configuration

terraform init
terraform plan
terraform apply

Verification

After enabling backups, verify the change was successful:

1. In the AWS Console, go to EFS > File systems
2. Select your file system
3. Under General, confirm Automatic backups shows Enabled

CLI verification commands

Check the backup policy status:

aws efs describe-backup-policy \
  --file-system-id fs-12345678 \
  --region us-east-1

Expected output:

{
  "BackupPolicy": {
    "Status": "ENABLED"
  }
}

You can also verify backups are being created by checking AWS Backup:

aws backup list-recovery-points-by-resource \
  --resource-arn arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-12345678 \
  --region us-east-1

Additional Resources

• AWS EFS Automatic Backups
• AWS Backup for EFS
• AWS Backup Pricing
• EFS Best Practices

Notes

• Backup Schedule: Automatic backups run daily with a default 35-day retention period.
• Cost: Backups are stored in AWS Backup and incur storage costs based on the amount of data backed up. See AWS Backup pricing for details.
• Recovery: To restore from a backup, use AWS Backup to create a new EFS file system from a recovery point.
• Cross-Region: For disaster recovery, consider configuring cross-region backup copies in AWS Backup.
• Encryption: If your EFS file system is encrypted, backups are automatically encrypted with the same key.