Overview

Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with Amazon EC2, including ECS. With Amazon EFS, storage capacity is elastic, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it.  Amazon EFS supports the Network File System version 4 (NFSv4.1 and NFSv4.0) protocol, so the applications and tools that you use today work seamlessly with Amazon EFS. 

Pricing Guidelines

With Amazon EFS, you pay only for the amount of file system storage you use per month. When using the Provisioned Throughput mode you pay for the throughput you provision per month. There is no minimum fee and there are no set-up charges.  For pricing details refer to the pricing table from the EFS pricing page.

Architecture

Amazon EFS Bursting Throughput (Default)

In the default Bursting Throughput mode, there are no charges for bandwidth or requests and you get a baseline rate of 50 KB/s per GB of throughput included with the price of storage.

Amazon EFS Provisioned Throughput

You can optionally select the Provisioned Throughput mode and provision the throughput of your file system independent of the amount of data stored and pay separately for storage and throughput. Like the default Bursting Throughput mode, the Provisioned Throughput mode also includes 50 KB/s per GB (or 1 MB/s per 20 GB) of throughput in the price of storage. You are billed only for the throughput provisioned above what you are provided based on data you have stored.

EFS File Sync

EFS File Sync provides a fast and simple way to securely move data from existing on-premises or in-cloud file systems into Amazon EFS file systems.  Pricing for EFS File Sync is simple. You pay per-GB for data copied to Amazon EFS. You can track the amount of data synced with Amazon CloudWatch. If your source file system is in AWS, you will be billed at standard EC2 rates for the instance on which the File Sync agent runs.

NFS Considerations

Amazon EFS provides users with an NFS volume to mount on their EC2 instance or other services leverage EC2 where users have access to the underlying OS to mount the NFS volume.  With this in mind, we must consider the intricacies of NFS when leveraging EFS in our architectural design.

Performance Modes

There are two performance modes to choose from when provisioning EFS volumes, general purpose and max I/O.  General purpose is the default and is intended for workloads that are latency-sensitive.  (i.e. web serving, cms, etc.)  Max I/O mode is intended for applications that are highly parallelized such as big data analysis or media processing.  Trade off here is higher latency.  When you are unsure which performance mode is right for your application, you should test the application against both modes and monitor for a period of time that showcases different I/O scenarios.

An Amazon EFS file system's performance mode can't be changed after the file system has been created.

Throughput Modes

There are two throughput modes to choose from for your file system, Bursting Throughput and Provisioned Throughput. With Bursting Throughput mode, throughput on Amazon EFS scales as your file system grows. With Provisioned Throughput mode, you can instantly provision the throughput of your file system (in MiB/s) independent of the amount of data stored. Bursting throughput is the default and the throughput scales as your file system size increases.  The is very important to consider when architecting EFS in production environments.  Refer to this link to review the throughput performance tables.

Provisioned Throughput mode is available for applications with high throughput to storage (MiB/s per TiB) ratios, or with requirements greater than those allowed by the Bursting Throughput mode.  Additional charges are associated with using Provisioned Throughput mode. Using Provisioned Throughput mode, you are billed for the storage that you use and throughput that you provision independently.

Keep in mind that throughput limits remain the same, regardless of the throughput mode you choose.  As you design for customer environments, refer to the limits of EFS to ensure that it is the right solution for you.

Automated Safeguards


ClearDATA's Automated Safeguard for EFS ensures that any EFS File System is provisioned with encryption at rest enabled.  In the event a File System is deployed without the encryption flag, the Automated Safeguard will remove the File System in a matter of minutes, as the encryption setting cannot be changed after a File System is created.

Compliance Guidance

Encryption at Rest

EFS File Systems that will store sensitive data, such as PHI/PII, must be encrypted at rest.  ClearDATA recommends the use of the File System encryption option as addressed by the Automated Safeguard.  Connections to the EFS File System must use a Transport Layer Security enabled connection.  See Shared Responsibility for details. 

Remediation

If the EFS File System is not encrypted when provisioned the File System will be immediately deleted.

Shared Responsibility

ClearDATA will ensure all EFS File Systems, unless specifically excluded, are provisioned with the encryption at rest option enabled.  Any EFS File Systems that do not have the encryption enabled and do not have the exclusion tag will be deleted upon detection. 

Customers are responsible for ensuing the EFS File Systems are mounted using Transport Layer Security connection.  Encryption of PHI while in transit for Amazon EFS is provided by Transport Layer Security (TLS) between the EFS service and the instance mounting the file system. EFS offers a mount helper to facilitate connecting to a file system using TLS. By default, TLS is not utilized and must be enabled when mounting the file system using the EFS mount helper. Ensure that the mount command contains the “-o tls” option to enable TLS encryption. Alternatively, customers who choose not to use the EFS mount helper can follow the instructions at Encrypting Data and Metadata in EFS to configure their NFS clients to connect through a TLS tunnel.  Customers should ensure that the EFS service meets all of their business and regulatory requirements in order to host sensitive data.

Please contact your ClearDATA team for a copy of the Responsibilities Matrix.

Exclusion

Disabling automated remediation at done the volume level.  Please contact ClearDATA Support to request that an exclusion be placed to allow for the volume to be created.


Reference Architecture Diagram

ClearDATA IAM Group

Users can be added to the Safeguards-EFS IAM group in order to access the EFS service

RACI


Item

ClearDATA

Customer

Creating EFS Volumes

C

RA

Deleting EFS VolumesCRA

Ensure at-rest encryption for EFS volume via Automated Safeguard

RA

CI

EFS Volume ManagementCRA

Configure Encryption in-transit between volumes and EC2 instances

C

RA

Creating Mount TargetsCRA

Mounting EFS volumes to EC2 instances

C

RA