Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 5 FSx for Windows File Server file systems should be configured for Multi-AZ deployment

Description

This control checks whether an Amazon FSx for Windows File Server file system is configured to use the multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use the Multi-AZ deployment type.

Amazon FSx for Windows File Server supports two deployment types for file systems: Single-AZ and Multi-AZ. The deployment types offer different levels of availability and durability. Single-AZ file systems are composed of a single Windows file server instance and a set of storage volumes within a single Availability Zone (AZ). Multi-AZ file systems are composed of a high-availability cluster of Windows file servers spread across two Availability Zones. We recommend using the Multi-AZ deployment type for most production workloads due to the high availability and durability model that it provides.

Remediation

You can configure an Amazon FSx for Windows File Server file system to use the Multi-AZ deployment type when you create the file system. You can't change the deployment type for an existing FSx for Windows File Server file system.

For information about deployment types and options for FSx for Windows File Server file systems, see Availability and durability: Single-AZ and Multi-AZ file systems and Getting started with Amazon FSx for Windows File Server in the Amazon FSx for Windows File Server User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_fsx_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_fsx_5 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when file_system_type <> 'WINDOWS' then 'skip'
    when (windows_configuration ->> 'DeploymentType') = 'MULTI_AZ_1' then 'ok'
    else 'alarm'
  end as status,
  case
    when file_system_type <> 'WINDOWS' then title || ' is of ' || file_system_type || ' type file system.'
    when (windows_configuration ->> 'DeploymentType') = 'MULTI_AZ_1' then title || ' Multi-AZ deployment enabled.'
    else title || ' Multi-AZ deployment disabled.'
  end as reason
  
  , region, account_id
from
  aws_fsx_file_system;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = high_availability
foundational_security_item_id = fsx_5
plugin = aws
service = AWS/FSx