turbot/steampipe-mod-aws-compliance

Control: 3 FSx for OpenZFS file systems should be configured for Multi-AZ deployment

Description

This control checks whether an Amazon FSx for OpenZFS file system is configured to use the multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use the Multi-AZ deployment type.

Amazon FSx for OpenZFS supports several deployment types for file systems: Multi-AZ (HA), Single-AZ (HA), and Single-AZ (non-HA). The deployment types offer different levels of availability and durability. Multi-AZ (HA) file systems are composed of a high-availability (HA) pair of file servers that are spread across two Availability Zones (AZs). We recommend using the Multi-AZ (HA) deployment type for most production workloads due to the high availability and durability model that it provides.

Remediation

You can configure an Amazon FSx for OpenZFS file system to use the Multi-AZ deployment type when you create the file system. You can't change the deployment type for an existing FSx for OpenZFS file system.

For information about deployment types and options for FSx for OpenZFS file systems, see Availability and durability for Amazon FSx for OpenZFS and Managing file system resources in the Amazon FSx for OpenZFS User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_fsx_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_fsx_3 --share

SQL

This control uses a named query:

select
arn as resource,
case
when file_system_type <> 'OPENZFS' then 'skip'
when open_zfs_configuration ->> 'DeploymentType' = 'MULTI_AZ_1' then 'ok'
else 'alarm'
end as status,
case
when file_system_type <> 'OPENZFS' then title || ' is of ' || file_system_type || ' type file system.'
when open_zfs_configuration ->> 'DeploymentType' = 'MULTI_AZ_1' then title || ' Multi-AZ deployment enabled.'
else title || ' Multi-AZ deployment disabled.'
end as reason
, region, account_id
from
aws_fsx_file_system;

Tags