FSx Windows file system is configured for Multi-AZ deployment
fsx_windows_file_system_multi_az_enabled
FSx for Windows File Server file systems are evaluated for Multi-AZ deployment, determined when SubnetIds include more than one subnet in different Availability Zones.
Risk
Using Single-AZ creates a single point of failure. AZ outages, server failures, or maintenance can cause extended file share downtime, impacting availability. Crash scenarios may leave data inconsistent, threatening integrity, and recovery may rely on backups, increasing RTO/RPO.
prowler aws --checks fsx_windows_file_system_multi_az_enabled
Recommendation
Prefer MULTI_AZ_1 for production to uphold high availability and avoid AZ-level single points of failure. Apply resilience and defense in depth: design to tolerate AZ loss, capacity-plan for failover, and test failover regularly. If Single-AZ is unavoidable, limit to noncritical or app-replicated workloads and keep frequent, verified backups.
Remediation
- In AWS Console, go to FSx > Create file system > Amazon FSx for Windows File Server
- Set Deployment type to Multi-AZ
- Select two Subnets in different Availability Zones
- Set minimal required capacity/throughput and Create
- Migrate data to the new file system and repoint clients to its DNS name
- Delete the old Single-AZ file system
Source Code
Resource Type
Other
References
- https://docs.aws.amazon.com/fsx/latest/WindowsGuide/dfs-r.html
- https://docs.aws.amazon.com/fsx/latest/APIReference/API_WindowsFileSystemConfiguration.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html
- https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html