Description:

RDS is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. Amazon RDS gives the facility to access the familiar database application MySQL, MariaDB, Oracle, SQL Server, or PostgresSQL database. It means that the code, applications, and tools you already use today with your existing databases should work and be friendly with Amazon RDS.

Amazon RDS can automatically back up your database and your database software up to date with the latest version.


Rationale:

This policy forced you to take backup of the RDS database instance automatically in a time period which you set. 


Impact:

This policy checks if RDS storage has retention enabled. It enables the recovery of the database to any point in time during the backup retention period. When you delete a DB instance, you can retain automated backups.


Default Value:

If you don’t set the backup retention period, the default backup retention period is one day.

The default backup retention period is seven days if you create the DB instance using the console.


Pre-Requisite:

  1. You can set the backup retention period when you create a DB instance. 
  2. After you create a DB instance, you can modify the backup retention period. 
  3. you can set the backup retention period to between 0 and 35 days. 
  4.  If you set 0 it means the retention period is disabled automated backups. 
  5. Automated backups aren’t created while a DB instance is stopped.


Remediation:


Test Plan:

Step 1: Log in to the AWS Console and go to the RDS dashboard at https://console.aws.amazon.com/rds/.

Step 2: Click on Databases in the left navigation pane

Step 3: Select the RDS instance which you want to audit and go to its summary dashboard

Step 4: Go to Maintenance & backups tab to check Automated Backups is enabled or disabled

In our case, it is disabled it means retention is disabled.


Using AWS CLI:

Step 1: To list out your DB instances in your particular region.

aws rds describe-db-instances --region < give your region>


Step 2: To determine the retention period for your instance automated backups

aws rds describe-db-instances --region <give your region> --db-instance-identifier < DB identifier> -- query 'DBInstances[*].BackupRetentionPeriod'


if the above command returns 0(zero) it means the Automated Backups feature is not enabled.


Implementation Steps:

Step 1: Log in to the AWS Console and go to the RDS dashboard at https://console.aws.amazon.com/rds/.

Step 2: Click on Databases in the left navigation pane

Step 3: Select RDS instance which you want to enable retention or Auto-backup and 

Step 4: Select Modify button

Step 5: Scroll down and go to Backup below backup Backup Retention Period here it 0 because Auto Backup is disabled so we select the day from the list-menu 

Note: Maximum days you select 35 days 

and give the start time and duration

Step 6: Click on the Continue button

Step 7: Below the summary of modifications select any one option to Schedule modifications (1. Apply during the next scheduled maintenance window and 2. Apply immediately) here we choose to Apply immediately and click on Modify DB instance button


Using AWS CLI

To enable automated backup using retention period

aws rds modify-db-instance --db-instance-identifier <mydbinstance>  --backup-retention-period <give period 1-35> --apply-immediately


Backout Plan

To disable automated backups immediately

Step 1: Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

Step 2: Click on Databases in the left navigation pane

Step 3: Select the RDS instance which disables retention or Auto-backup. 

Step 4:Choose Modify. The Modify DB instance page appears

Step 5: For the Backup retention period, choose 0 days

Step 6: Click on the Continue button

Step 7: Choose Apply immediately. 

  • On the confirmation page, choose Modify DB instance to save your changes and disable automated backups.


Using AWS CLI

To disable automated backup 

aws rds modify-db-instance --db-instance-identifier mydbinstance --backup-retention-period 0 --apply-immediately


To Delete retained automated backups

Step 1: Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

Step 2:In the navigation pane, choose Automated backups

Step 3: On the Retained tab, choose the retained automated backup that you want to delete.

Step 4: For Actions, choose Delete.

Step 5: On the confirmation page, enter delete me and choose Delete.


Using AWS  CLI

To delete automated backup by using the AWS CLI command

aws rds delete-db-instance-automated-backup --dbi-resource-id <db-123ABCEXAMPLE>