Skip to content

Mounting EFS File System with APIsec Scanner Deployed on AWS Fargate

This guide will walk you through the process of mounting an AWS Elastic File System (EFS) to a container in ECS (Fargate) with detailed instructions with screenshots attached.

Table of Contents

Overview

Amazon EFS provides scalable file storage that can be mounted to containers running in ECS. This guide will show you how to: - Create an EFS file system. - Configure ECS Task Definitions to mount EFS. - Update your ECS service to use EFS.

Prerequisites

Before starting, ensure you have:
- An AWS Account.
- ECS Cluster set up with Fargate.
- EFS created in the same region as your ECS cluster.
- Proper IAM Role permissions.

Step 1: Create an EFS File System

  1. Go to the AWS Console and navigate to EFS (Elastic File System). EFS Dashboard

  2. Create a new EFS File System by clicking the Create file system button.

  3. Select the VPC in which your ECS cluster is running.

Create EFS

  1. Configure Network and Mount Targets:
  2. Select the customize button to configure the Regional or One Zone, Network & other configuration.
  3. Select the appropriate Availability Zones and Subnets. Regional is recommended for high availability.
  4. For each subnet, choose the appropriate security group to allow NFS access (port 2049).

Network & Mount

  1. Configure Access Points and Security Groups to ensure the EFS can be accessed by your ECS tasks.
  2. Set the Access Point and note down the File System ID.
  3. Attach a security group that allows NFS traffic (port 2049) for the selected VPC CIDR range like 172.31.0.0/16 or respective security-group id of Fargate task/service for NFS communication with the Fargate tasks/service.
  4. create EFS in the same VPC as Fargate tasks/services and the same security group to keep it simple.

EFS Access Point

  1. Inbound Rules
    • Go to the Security Groups
    • Click on your Security Group ID
    • Edit Inbound rules

image

Outbound Rules - Edit Outbound Rules image

Please add other relevant rules as per your requirement for other services communication.

  1. VPC settings
    • Go to the VPC
    • Select your VPC
    • Click On Edit VPC Settings

image

make sure the below options are selected/enabled in the VPC Settings. - DNS resolution - DNS hostname - DHCP option set

image

Step 2: Configure ECS Task Definition to Mount EFS

  1. Open ECS Task Definition in the AWS Console.

image

  1. Create New Task Definition or Edit the existing one to create a new revision:
  2. Select Elastic File System (EFS).
  3. Give Task definition name
  4. Choose AWS Fargate as the launch type.
  5. Set Task Memory and Task CPU based on your application's requirements (1vCPU & 2GB memory recommended).

image

  • In the Container section write any container name and image URI: apisec/scanner:latest
  • And Add the below environment variables.
  • FX_HOST=scanner.apisec.ai
  • FX_PORT=443
  • FX_IAM=<FX_IAM>
  • FX_KEY=<FX_KEY> For FX_IAM and FX_KEY see the scanner page in the APIsec product UI https://cloud.apisec.ai/#/app/scanners/list

image

  1. Configure Volume:
  2. Provide a volume name and choose your EFS file system.
  3. Select Volume Type as NFS.
  4. Select File System ID from the dropdown.
  5. Root Directory as /mnt/efs

image - Click on Create button -

Step 3: Place the Script inside the EFS

    1. Access EFS via an EC2 Instance:
  • Launch an EC2 instance in the same VPC as your Fargate tasks, with an appropriate security group allowing NFS access.

  • SSH into the EC2 instance.

  • Mount the EFS File System on the EC2 Instance:

  • Install the NFS client on the EC2 instance: bash sudo yum install -y nfs-utils # For Amazon Linux sudo apt-get install -y nfs-common # For Ubuntu/Debian

  • Mount the EFS file system: bash sudo mkdir /mnt/efs sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-<EFS-File-System-ID>.efs.<region>.amazonaws.com:/ /mnt/efs

  • Copy Your Script to the EFS File System:

  • Upload your script to the mounted EFS directory: bash sudo cp /path/to/your-script.sh /mnt/efs/

  • Unmount the EFS: Once the file is copied, unmount the file system: bash sudo umount /mnt/efs

Step 4: Deploy ECS Fargate Service

  1. Create a New Service or Update an Existing One:
  2. Go to the ECS console.
  3. Select Clusters and choose your cluster.
  4. You can create a new Service or update an existing one to use the task definition with the EFS mount created in image
  5. Click Create to launch the Fargate service with your task definition.

Troubleshooting

If you encounter issues, consider the following: - Check EFS Security Groups: Ensure that the security groups associated with the Fargate tasks and EFS allow traffic on port 2049 (NFS). - Task Role Permissions: Ensure your Fargate task role has appropriate permissions to use EFS (if using IAM authorization). - Container Logs: Use ECS logs to troubleshoot any issues with the EFS mount in the Fargate task.

Conclusion

You’ve successfully mounted an AWS EFS to an ECS service. This setup allows your ECS tasks to share data across multiple containers or persist data using EFS.

If you have any questions or run into issues, please consult the AWS EFS Documentation or AWS ECS Documentation.