How do I see a list of my Amazon EC2 instances that are connected to Amazon EFS?

Short description

To track the traffic on the elastic network interface of each Amazon EFS mount target, use Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. Publish the flow logs to Amazon CloudWatch Logs. Then, use CloudWatch Logs Insights to filter the traffic flow on the mount target's network interface. CloudWatch Logs Insights uses a specific timestamp to list the Amazon EC2 instances that you mounted an EFS file system on.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Create a log group

Complete the following steps:

1. Open the CloudWatch console.
2. In the navigation pane, choose Logs, and then choose Log groups.
3. Choose Create log group.
4. For Log group name, enter a name, and for Retention setting, enter a retention setting.
   (Optional) You can add an AWS Key Management Service (AWS KMS) key ARN and tags.
5. Choose Create.

Create an IAM role with permissions to publish flow logs to CloudWatch Logs

Complete the following steps:

1. Open the Identity and Access Management (IAM) console.
2. In the navigation pane, under Access management, choose Roles.
3. Choose Create role, and then create a new IAM role.
4. In the role's IAM policy, add the permissions and include a trust policy for the service to assume the role.

Get the list of network interfaces that the mount target of your EFS file system uses

Note: Amazon EFS has a different mount target for each Availability Zone.

Complete the following steps:

1. Open the Amazon EFS console.
2. Under File systems, select your EFS file system, and then choose View details.
3. Choose Network, and then note the network interface ID for each mount target.

Create the flow logs

Complete the following steps:

1. Open the Amazon EC2 console.
2. Choose Network & Security, and then choose Network Interfaces.
3. Select all the network interfaces that the mount target uses.
4. On the Actions menu, choose Create flow log. Enter the following values:
   (Optional) For Name, enter a flow log name.
   For Filter, choose All.
   For Maximum aggregation interval, choose either the default 10 minutes or 1 minute.
   For Destination, choose Send to CloudWatch logs.
   For Destination log group, select your log group.
   For IAM role, select your IAM role.
   For Log record format, choose either AWS default format or Custom format.
   (Optional) For Tags, add tags.
5. Choose Create.
6. To monitor the flow log status, select your network interface, and then choose Flow logs. Verify that the Status is Active.

The first flow log is published to CloudWatch Logs after approximately10 minutes.

Verify that the flow logs are in CloudWatch Logs

Complete the following steps:

1. Open the CloudWatch console.
2. In the navigation pane, choose Log groups.
3. For Log groups, select your log group.
4. Verify that all the log streams appear. Each network interface has a different log stream.

Use CloudWatch Logs Insights to run a query

Complete the following steps:

1. Open the CloudWatch console.
2. In the navigation pane, choose Logs, and then choose Logs Insights.
3. From the dropdown menu, select your log group.
4. Choose the duration that you want to review the flow logs for: 5m, 30m, 1h, 3h, 12h, or Custom.
5. Run the following query:

   fields @timestamp, @message | filter dstPort="2049" | stats count(*) as FlowLogEntries by srcAddr | sort FlowLogEntries desc

The preceding query reviews all flow logs for all mount targets. The query filters the logs that have a destination port set to Port=2049. Amazon EFS clients connect to mount targets on NFS port 2049. The query retrieves all unique source IP addresses (Amazon EFS client IP addresses), and sorts them by the most active client connections. Activity is determined by the number of entries in the flow log.

The query output contains the list of private IP addresses of all the EC2 instances that you mounted an EFS file system on.

Example query output:

#          srcAddr              FlowLogEntries1      111.22.33.44                 78
2      111.55.66.77                36
3      111.88.99.000                33

Use the AWS CLI to run a query

After you set up the VPC flow log, use the start-query AWS CLI command to run the query.

First, check that jq is installed:

yum install -y jq

Then, run the start-query command:

aws logs start-query --log-group-name EFS-ENI-Flowlogs --start-time 1643127618 --end-time 1643128901 --query-string 'filter dstPort="2049" | stats count(*) as FlowLogEntries by srcAddr | sort FlowLogEntries desc' > test.json && sleep 10 && jq .queryId test.json | xargs aws logs get-query-results --query-id

Set the following parameters:

• For log-group-name, enter your log group name.
• For start-time and end-time, enter your start and end times.
  Note: These values are in Unix Epoch time. To convert to readable timestamps, use the Epoch & Unix timestamp conversion tools on the Epoch converter website.
• (Optional) For test.json, you can change the json file name each time you run the command. When you change the name, the previous output isn't merged with the new output.
• For sleep, you can create a delay in seconds to review the flow logs as the query is running. To review the logs for a longer duration, increase the sleep time.

Note: To list the IP addresses of clients that mount Amazon EFS, run a new query to create a current list.