Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 3 FSx for OpenZFS file systems should be configured for Multi-AZ deployment

Description

This control checks whether an Amazon FSx for OpenZFS file system is configured to use the multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use the Multi-AZ deployment type.

Amazon FSx for OpenZFS supports several deployment types for file systems: Multi-AZ (HA), Single-AZ (HA), and Single-AZ (non-HA). The deployment types offer different levels of availability and durability. Multi-AZ (HA) file systems are composed of a high-availability (HA) pair of file servers that are spread across two Availability Zones (AZs). We recommend using the Multi-AZ (HA) deployment type for most production workloads due to the high availability and durability model that it provides.

Remediation

You can configure an Amazon FSx for OpenZFS file system to use the Multi-AZ deployment type when you create the file system. You can't change the deployment type for an existing FSx for OpenZFS file system.

For information about deployment types and options for FSx for OpenZFS file systems, see Availability and durability for Amazon FSx for OpenZFS and Managing file system resources in the Amazon FSx for OpenZFS User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_fsx_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_fsx_3 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when file_system_type <> 'OPENZFS' then 'skip'
    when open_zfs_configuration ->> 'DeploymentType' = 'MULTI_AZ_1' then 'ok'
    else 'alarm'
  end as status,
  case
    when file_system_type <> 'OPENZFS' then title || ' is of ' || file_system_type || ' type file system.'
    when open_zfs_configuration ->> 'DeploymentType' = 'MULTI_AZ_1' then title || ' Multi-AZ deployment enabled.'
    else title || ' Multi-AZ deployment disabled.'
  end as reason
  
  , region, account_id
from
  aws_fsx_file_system;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = high_availability
foundational_security_item_id = fsx_3
plugin = aws
service = AWS/FSx