Amazon EFS Volumes

PreviousAmazon EBS Volumes NextAmazon FSx Volumes

Last updated 2 months ago

Amazon EFS Volumes

Architecture

The Console initiates an EFS scan job, whether triggered by an on-demand scan or a set schedule
The scanning agent initiates a crawl job to identify files in the target EFS volume
Crawl job places objects to be scanned in an SQS Queue
The scanning agent initiates a scan job, reading files from the Queue and scanning them for viruses
Results are sent to CloudWatch
Job status and other scan details are sent to DynamoDB
The Console service ingests details from CloudWatch and DynamoDB, and when the scan is done, scanning architecture is torn down

Console EFS Protection Page

The EFS Protection page will show you any EFS volumes that are associated with the account that you have deployed our solution in, as well as volumes from any accounts linked to your console. Here you'll be able to create Antivirus scanning and Data classification schedules for EFS Volumes.

Currently you can only scan EFS volumes in the account that you deployed our solution in. If you have EFS volumes in other accounts you'll need to deploy a separate deployment in those accounts to scan those volumes.

You can choose to show or hide the EFS volumes from your linked accounts by clicking the 'Show/Hide Linked Accounts' button at the top of the page.

Creating an EFS volume scan or classification schedule

Select the EFS volumes you want to protect through a schedule
Click actions and select either Create AV Schedule or Create DC Schedule
You can select any additional EFS volumes and add EBS volumes or S3 buckets to the schedule through the schedule popup
Once you have all of the resources you want to add to a schedule selected, click on the Create Schedule tab
Name your schedule, add the scan period and make any additional changes you need
Click Save once you're done

After your schedule is created you'll want to go to the Schedules page and activate the schedule.

When activating the schedule you will be asked to select the VPC and Subnets where the EFS Volume being scanned resides. This step is critical, as we must place an agent within the same VPC as the Volume to run a scan of the Volume. If the selected VPC for the agent differs from the EFS Volume VPC, the two VPCs must be peered for our scan to execute.

Also note that the chosen VPC and Subnets must allow outbound internet traffic, and mount targets for the EFS Volume(s) must exist in the selected subnets' availability zones.

Now your schedule will run per the scan period that you originally configured. If you need to add or remove volumes, or make any other configuration changes you can always edit the schedule on the Schedules page.

Volume Schedule Statuses

The schedule icons shown below will reflect whether a bucket is associated with a schedule and whether that schedule is active or not.