Control: 1 FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
Description
This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes.
Identification and inventory of your IT assets is an important aspect of governance and security. Tags help you categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type because you can quickly identify a specific resource based on the tags that you assigned to it.
Remediation
To configure an FSx for OpenZFS file system to copy tags to backups and volumes, see Updating a file system in the Amazon FSx OpenZFS User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_fsx_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_fsx_1 --shareSQL
This control uses a named query:
select arn as resource, case when file_system_type <> 'OPENZFS' then 'skip' when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool and (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then 'ok' else 'alarm' end as status, case when file_system_type <> 'OPENZFS' then title || ' is of ' || file_system_type || ' type file system.' when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool and (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then title || ' copy tags to backup and volume enabled.' when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool then title || ' copy tags to backup enabled but disabled for volume.' when (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then title || ' copy tags to volume enabled but disabled for backup.' else title || ' copy tags to backup and volume disabled.' end as reason , region, account_idfrom aws_fsx_file_system;