Skip to main content

EFS Multi-AZ Enabled

Overview

This check verifies that your Amazon Elastic File System (EFS) file systems are configured for Multi-AZ resilience by having mount targets in more than one Availability Zone. EFS file systems with Regional storage class should have mount targets distributed across multiple AZs to ensure high availability.

Risk

If your EFS file system relies on a single Availability Zone or has only one mount target:

  • Service disruption: An AZ outage can disconnect all clients and cause I/O errors
  • Increased latency: Single mount target deployments force cross-AZ traffic, increasing response times
  • Higher costs: Cross-AZ data transfer incurs additional charges
  • No failover capability: Applications cannot fail over to another AZ if issues arise

Severity: Medium

Remediation Steps

Prerequisites

You need permission to manage EFS file systems and mount targets in your AWS account. Specifically, you need the elasticfilesystem:CreateMountTarget and elasticfilesystem:DescribeMountTargets permissions.

AWS Console Method

For Regional EFS file systems (adding mount targets):

  1. Open the Amazon EFS console in us-east-1
  2. Click File systems in the left navigation
  3. Select the file system that needs additional mount targets
  4. Click the Network tab
  5. Click Manage next to Mount targets
  6. Click Add mount target
  7. Select a subnet in a different Availability Zone from your existing mount targets
  8. Choose or create a security group that allows NFS traffic (port 2049)
  9. Click Save
  10. Repeat steps 6-9 for each additional AZ you want to cover

For One Zone EFS file systems:

One Zone file systems cannot be converted to Regional. You must create a new Regional file system and migrate your data:

  1. Create a new Regional EFS file system with mount targets in at least two AZs
  2. Use AWS DataSync or rsync to copy data from the old file system to the new one
  3. Update your applications to use the new file system
  4. Decommission the old One Zone file system
AWS CLI (optional)

Check current mount targets:

aws efs describe-mount-targets \
    --file-system-id fs-12345678 \
    --region us-east-1

Add a mount target in a new AZ:

aws efs create-mount-target \
    --file-system-id fs-12345678 \
    --subnet-id subnet-abcdef12 \
    --security-groups sg-12345678 \
    --region us-east-1

Replace:

  • fs-12345678 with your EFS file system ID
  • subnet-abcdef12 with a subnet ID in a different AZ
  • sg-12345678 with a security group that allows NFS traffic (port 2049)

Add mount targets to all AZs in a VPC:

# Get all subnets in your VPC
SUBNETS=$(aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=vpc-12345678" \
    --query 'Subnets[*].SubnetId' \
    --output text \
    --region us-east-1)

# Create mount target in each subnet (one per AZ)
for SUBNET in $SUBNETS; do
    aws efs create-mount-target \
        --file-system-id fs-12345678 \
        --subnet-id $SUBNET \
        --security-groups sg-12345678 \
        --region us-east-1 2>/dev/null || true
done

Note: The command will fail silently for AZs that already have a mount target, which is expected.

CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Multi-AZ EFS File System with mount targets in multiple Availability Zones

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the EFS file system will be created

  SubnetId1:
    Type: AWS::EC2::Subnet::Id
    Description: First subnet ID (in first AZ)

  SubnetId2:
    Type: AWS::EC2::Subnet::Id
    Description: Second subnet ID (in second AZ)

Resources:
  EFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      PerformanceMode: generalPurpose
      Encrypted: true
      ThroughputMode: bursting
      FileSystemTags:
        - Key: Name
          Value: multi-az-efs

  EFSSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for EFS mount targets
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 2049
          ToPort: 2049
          CidrIp: 10.0.0.0/8

  MountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref EFSFileSystem
      SubnetId: !Ref SubnetId1
      SecurityGroups:
        - !Ref EFSSecurityGroup

  MountTarget2:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref EFSFileSystem
      SubnetId: !Ref SubnetId2
      SecurityGroups:
        - !Ref EFSSecurityGroup

Outputs:
  FileSystemId:
    Description: EFS File System ID
    Value: !Ref EFSFileSystem

  MountTarget1Id:
    Description: Mount Target 1 ID
    Value: !Ref MountTarget1

  MountTarget2Id:
    Description: Mount Target 2 ID
    Value: !Ref MountTarget2

Deploy the stack:

aws cloudformation create-stack \
    --stack-name multi-az-efs \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=VpcId,ParameterValue=vpc-12345678 \
        ParameterKey=SubnetId1,ParameterValue=subnet-aaaaaaaa \
        ParameterKey=SubnetId2,ParameterValue=subnet-bbbbbbbb \
    --region us-east-1
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "vpc_id" {
  description = "VPC ID where EFS will be created"
  type        = string
}

variable "subnet_ids" {
  description = "List of subnet IDs in different AZs for mount targets"
  type        = list(string)
}

resource "aws_efs_file_system" "multi_az" {
  creation_token = "multi-az-efs"
  encrypted      = true

  tags = {
    Name = "multi-az-efs"
  }
}

resource "aws_security_group" "efs" {
  name        = "efs-mount-target-sg"
  description = "Security group for EFS mount targets"
  vpc_id      = var.vpc_id

  ingress {
    from_port   = 2049
    to_port     = 2049
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "efs-mount-target-sg"
  }
}

resource "aws_efs_mount_target" "multi_az" {
  count           = length(var.subnet_ids)
  file_system_id  = aws_efs_file_system.multi_az.id
  subnet_id       = var.subnet_ids[count.index]
  security_groups = [aws_security_group.efs.id]
}

output "file_system_id" {
  description = "EFS File System ID"
  value       = aws_efs_file_system.multi_az.id
}

output "mount_target_ids" {
  description = "Mount Target IDs"
  value       = aws_efs_mount_target.multi_az[*].id
}

Apply the configuration:

terraform init
terraform apply -var="vpc_id=vpc-12345678" -var='subnet_ids=["subnet-aaaaaaaa","subnet-bbbbbbbb"]'

Verification

After adding mount targets, verify your EFS file system has mount targets in multiple Availability Zones:

  1. Open the Amazon EFS console
  2. Select your file system
  3. Click the Network tab
  4. Confirm that mount targets exist in at least two different Availability Zones
  5. Verify each mount target shows Available status
CLI verification
aws efs describe-mount-targets \
    --file-system-id fs-12345678 \
    --query 'MountTargets[*].[MountTargetId,AvailabilityZoneName,LifeCycleState]' \
    --output table \
    --region us-east-1

Expected output should show at least two mount targets in different AZs with available state.

Additional Resources

Notes

  • One mount target per AZ: You can only have one mount target per Availability Zone per file system
  • Same VPC requirement: All mount targets for a file system must be in the same VPC
  • One Zone limitations: One Zone storage class file systems cannot have multiple mount targets and cannot be converted to Regional; you must migrate to a new file system
  • Security groups: Ensure your mount target security groups allow NFS traffic (TCP port 2049) from your application instances
  • Cost consideration: Regional file systems with multiple mount targets provide better availability but store data redundantly across multiple AZs, which may affect storage costs