Compliance Medium severity
AWS Security Hub · EFS
EFS.2: EFS has no automatic backups
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub EFS.2 check?
EFS.2 checks that an EFS file system is included in an AWS Backup plan. It reports FAILED when the file system is not covered by any backup plan, so there is no governed recovery point.
Why does EFS.2 matter?
Without backup-plan coverage, accidental deletion, corruption or ransomware against shared storage is unrecoverable — there is no scheduled, retained recovery point to roll back to. A governed plan gives you a defined retention policy and an audit trail that ad-hoc snapshots do not.
How do I fix EFS.2?
- Inventory which file systems are not protected by any backup plan.
- Either enable AWS-managed automatic backups, or assign the file system to a custom AWS Backup plan for more control over schedule and retention.
- Confirm recovery points actually land in the backup vault.
- Bake backup coverage into your IaC defaults so new file systems are protected on creation.
Remediation script · bash
# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
--query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
aws rds modify-db-instance --db-instance-identifier "$db" \
--backup-retention-period 7 --no-apply-immediately
done
# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharingFull walkthrough (console steps, edge cases and verification) in the lesson Configure backups and retention.
Part of the learning path Lock down access