Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 4 FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment

Description

This control checks whether an Amazon FSx for NetApp ONTAP file system is configured to use a multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use a Multi-AZ deployment type. You can optionally specify a list of deployment types to include in the evaluation.

Amazon FSx for NetApp ONTAP supports several deployment types for file systems: Single-AZ 1, Single-AZ 2, Multi-AZ 1, and Multi-AZ 2. The deployment types offer different levels of availability and durability. We recommend using a Multi-AZ deployment type for most production workloads due to the high availability and durability model that Multi-AZ deployment types provide. Multi-AZ file systems support all the availability and durability features of Single-AZ file systems. In addition, they're designed to provide continuous availability to data even when an Availability Zone (AZ) is unavailable.

Remediation

You can't change the deployment type for an existing Amazon FSx for NetApp ONTAP file system. However, you can back up the data, and then restore it on a new file system that uses a Multi-AZ deployment type.

For information about deployment types and options for FSx for ONTAP file systems, see Availability, durability, and deployment optionsand Managing file systems in the FSx for ONTAP User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_fsx_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_fsx_4 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when file_system_type <> 'ONTAP' then 'skip'
    when (ontap_configuration ->> 'DeploymentType') in ('MULTI_AZ_1', 'MULTI_AZ_2') then 'ok'
    else 'alarm'
  end as status,
  case
    when file_system_type <> 'ONTAP' then title || ' is of ' || file_system_type || ' type file system.'
    when (ontap_configuration ->> 'DeploymentType') in ('MULTI_AZ_1', 'MULTI_AZ_2') then title || ' Multi-AZ deployment enabled.'
    else title || ' Multi-AZ deployment disabled.'
  end as reason
  
  , region, account_id
from
  aws_fsx_file_system;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = high_availability
foundational_security_item_id = fsx_4
plugin = aws
service = AWS/FSx