AWS Security Hub · EFS
EFS.7: EFS file systems should have automatic backups
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub EFS.7 check?
EFS.7 checks that an EFS file system has the native automatic-backup flag enabled. It reports FAILED when the file system's backup policy is not set to enabled.
Why does EFS.7 matter?
Automatic backups give a file system a daily recovery point with no plan to author or maintain — the simplest possible protection against accidental deletion or corruption. Without it, the file system has no native recovery point and depends entirely on whatever external backup plan may or may not cover it.
How do I fix EFS.7?
- Find file systems missing the flag by checking their backup policy.
- Turn it on with a single put-backup-policy call setting the status to ENABLED.
- Confirm recovery points start appearing in the AWS Backup vault.
- Set the flag in your provisioning path so new file systems arrive protected.
Remediation script · bash
# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
--query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
aws rds modify-db-instance --db-instance-identifier "$db" \
--backup-retention-period 7 --no-apply-immediately
done
# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharingFull walkthrough (console steps, edge cases and verification) in the lesson Configure backups and retention.
Is EFS.7 a false positive?
EFS.7's native automatic-backup flag is distinct from EFS.2's custom-backup-plan membership — both controls exist, and satisfying one does not satisfy the other.