Table: aws_efs_file_system - Query AWS Elastic File System using SQL
The AWS Elastic File System (EFS) is a scalable file storage for use with Amazon EC2 instances. It's easy to use and offers a simple interface that allows you to create and configure file systems quickly and easily. With EFS, you have the flexibility to store and retrieve data across different AWS regions and availability zones.
Table Usage Guide
The aws_efs_file_system
table in Steampipe provides you with information about file systems within AWS Elastic File System (EFS). This table allows you, as a DevOps engineer, to query file system-specific details, including its ID, ARN, creation token, performance mode, lifecycle state, and associated metadata. You can utilize this table to gather insights on file systems, such as their performance mode, lifecycle state, and more. The schema outlines the various attributes of the EFS file system for you, including the file system ID, creation token, tags, and associated mount targets.
Examples
Basic info
Discover the segments that have automatic backups enabled in your AWS Elastic File System (EFS). This helps in assessing the elements within your system that are safeguarded and those that might need additional data protection measures.
select name, file_system_id, owner_id, automatic_backups, creation_token, creation_time, life_cycle_state, number_of_mount_targets, performance_mode, throughput_modefrom aws_efs_file_system;
select name, file_system_id, owner_id, automatic_backups, creation_token, creation_time, life_cycle_state, number_of_mount_targets, performance_mode, throughput_modefrom aws_efs_file_system;
List file systems which are not encrypted at rest
Discover the segments of your AWS Elastic File System that are not encrypted, allowing you to identify potential security risks and take necessary action to ensure data protection.
select file_system_id, encrypted, kms_key_id, regionfrom aws_efs_file_systemwhere not encrypted;
select file_system_id, encrypted, kms_key_id, regionfrom aws_efs_file_systemwhere encrypted = 0;
Get the size of the data stored in each file system
Assess the elements within your file system to understand the distribution of data storage. This is useful for managing storage resources effectively and identifying opportunities for cost optimization.
select file_system_id, size_in_bytes ->> 'Value' as data_size, size_in_bytes ->> 'Timestamp' as data_size_timestamp, size_in_bytes ->> 'ValueInIA' as data_size_infrequent_access_storage, size_in_bytes ->> 'ValueInStandard' as data_size_standard_storagefrom aws_efs_file_system;
select file_system_id, json_extract(size_in_bytes, '$.Value') as data_size, json_extract(size_in_bytes, '$.Timestamp') as data_size_timestamp, json_extract(size_in_bytes, '$.ValueInIA') as data_size_infrequent_access_storage, json_extract(size_in_bytes, '$.ValueInStandard') as data_size_standard_storagefrom aws_efs_file_system;
List file systems which have root access
Identify instances where file systems have root access, which can be critical in understanding the security posture of your AWS Elastic File System, and ensuring that only authorized users have such elevated privileges.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_efs_file_system, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as awhere a in ('elasticfilesystem:clientrootaccess');
select title, json_extract(principal.value, '$') as principal, json_extract(action.value, '$') as action, json_extract(statement.value, '$.Effect') as effect, json_extract(statement.value, '$.Condition') as conditionsfrom aws_efs_file_system, json_each(policy_std, '$.Statement') as statement, json_each(json_extract(statement.value, '$.Principal.AWS')) as principal, json_each(json_extract(statement.value, '$.Action')) as actionwhere json_extract(action.value, '$') = 'elasticfilesystem:clientrootaccess';
List file systems that do not enforce encryption in transit
Discover the segments of your AWS Elastic File System that are not enforcing encryption in transit. This can help improve your system's security by identifying potential vulnerabilities.
select titlefrom aws_efs_file_systemwhere title not in ( select title from aws_efs_file_system, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as ssl where p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false );
select titlefrom aws_efs_file_systemwhere title not in ( select title from aws_efs_file_system where json_extract(policy_std, '$.Statement[*].Principal.AWS') = '*' and json_extract(policy_std, '$.Statement[*].Effect') = 'Deny' and json_extract( policy_std, '$.Statement[*].Condition.Bool.aws:securetransport' ) = 'false' );
List file systems with automatic backups enabled
Gain insights into the file systems that have automatic backups enabled. This is useful for ensuring that your data is being regularly backed up for recovery purposes.
select name, automatic_backups, arn, file_system_idfrom aws_efs_file_systemwhere automatic_backups = 'enabled';
select name, automatic_backups, arn, file_system_idfrom aws_efs_file_systemwhere automatic_backups = 'enabled';
Schema for aws_efs_file_system
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) for the EFS file system. | |
automatic_backups | text | Automatic backups use a default backup plan with the AWS Backup recommended settings for automatic backups. | |
availability_zone_id | text | The unique and consistent identifier of the Availability Zone in which the file system is located, and is valid only for One Zone file systems. | |
availability_zone_name | text | Describes the Amazon Web Services Availability Zone in which the file system is located, and is valid only for One Zone file systems. | |
creation_time | timestamp with time zone | The time that the file system was created. | |
creation_token | text | = | The opaque string specified in the request. |
encrypted | boolean | A Boolean value that, if true, indicates that the file system is encrypted. | |
file_system_id | text | = | The ID of the file system, assigned by Amazon EFS. |
kms_key_id | text | The ID of an AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the encrypted file system. | |
life_cycle_state | text | The lifecycle phase of the file system. | |
name | text | Name of the file system provided by the user. | |
number_of_mount_targets | bigint | The current number of mount targets that the file system has. | |
owner_id | text | The AWS account that created the file system. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
performance_mode | text | The performance mode of the file system. | |
policy | jsonb | The JSON formatted FileSystemPolicy for the EFS file system. | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
provisioned_throughput_in_mibps | double precision | The throughput, measured in MiB/s, that you want to provision for a file system. | |
region | text | The AWS Region in which the resource is located. | |
replication_overwrite_protection | text | The status of the file system's replication overwrite protection. | |
size_in_bytes | jsonb | The latest known metered size (in bytes) of data stored in the file system. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags associated with Filesystem. | |
throughput_mode | text | The throughput mode for a file system. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_efs_file_system