In this post we review how to understand and visualize who is accessing your EFS, and how to use it for troubleshooting, cost allocation and system design.
What is Elastic File System (EFS)?
Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with Amazon EC2 instances in the AWS Cloud. Amazon EFS is easy to use and offers a simple interface that allows you to create and configure file systems quickly and easily. With Amazon EFS, storage capacity is elastic, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it.
Here is a deceptively simple question:
Who is accessing my EFS? Who accessed it in the recent three days? That sounds like something that is reasonable. However in reality, this is one of the most difficult questions to answer. In this post we will look into the reasons to why is this question important, why is it difficult to answer and how can you actually address it.
Is this question important?
The short answer is – absolutely! Starting from simple security concerns, going through compliance and governance and all the way to regulatory requirements such as HIPPA and Sarbanes–Oxley (depending on your industry). Another important reason is troubleshooting. Whenever something goes wrong, the question of who is using a certain resource, comes up regularly. Not having an efficient way to answer these questions means you are going to spend an unreasonable amount of time calling in people into a room to try and figure that out. And lastly cost, to easily associate a resource cost (EFS in this case) to a client (e.g. EC2 mount).
Why is this question hard to answer?
Configuring EFS is done in few places, it starts with provisioning the EFS File-System, setting up one or more mount-targets in the VPC (with the right Availability Zone) and eventually connect to your Amazon EC2 Instance and mount them to the EFS File-System. Once completed, there are 3 way to answer this question
- Ask the engineers, (good luck!)
- Using a tool that deploy an agent on every EC2 instance (which is very intrusive)
- Using ITculate, an agent-less solution to gather the information, visualize and report
In the following example, we found out that the Test EC2 instance is accessing the EFS File-System, this was serious breach as the images were a patient radiology images, leading to a HIPPA requirements exposure.
How about Price and Availability Zone?
- Enabling Predict-Price layer shows that the predict monthly price of each resource
- Enabling Availability-Zone layer shows that the one of the EFS is configuration has mount target only in 2 zones: (us-east-1b and us-east-1c) while the Auto-Scaling-Group has instance in 3 zones (us-east-1b, us-east-1c and us-east-1d)
With ITculate it is simple to understand how resources are connected to each other (e.g. the EFS). This is very important for regulatory and compliance requirements but have many other uses. Knowing who is using the EFS can also be used to understand cost structure, troubleshooting and improving the system design.
ITculate.io provides a monitoring solution for DevOps environments. ITculate’s solution captures not only raw and custom metrics but also the architecture of the customer’s environment. ITculate’s core technology tracks relationships between and within services. Understanding the relationships allows ITculate to provide a context to the user. It also allows for better visualization and enable much faster troubleshooting. ITculate provides a more intuitive way of data exploration and dramatically improves the user experience of monitoring. Please check us out at ITculate.io to learn more!