Description:
RDS is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. Amazon RDS gives the facility to access the familiar database application MySQL, MariaDB, Oracle, SQL Server, or PostgresSQL database. It means that the code, applications, and tools you already use today with your existing databases should work and be friendly with Amazon RDS.
Amazon RDS can automatically back up your database and your database software up to date with the latest version.
Rationale:
This policy forced you to take backup of the RDS database instance automatically in a time period which you set.
Impact:
This policy checks if RDS storage has retention enabled. It enables the recovery of the database to any point in time during the backup retention period. When you delete a DB instance, you can retain automated backups.
Default Value:
If you don’t set the backup retention period, the default backup retention period is one day.
The default backup retention period is seven days if you create the DB instance using the console.
Pre-Requisite:
- You can set the backup retention period when you create a DB instance.
- After you create a DB instance, you can modify the backup retention period.
- you can set the backup retention period to between 0 and 35 days.
- If you set 0 it means the retention period is disabled automated backups.
- Automated backups aren’t created while a DB instance is stopped.
Remediation:
Test Plan:
Step 1: Log in to the AWS Console and go to the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 2: Click on Databases in the left navigation pane
Step 3: Select the RDS instance which you want to audit and go to its summary dashboard
Step 4: Go to Maintenance & backups tab to check Automated Backups is enabled or disabled
In our case, it is disabled it means retention is disabled.
Using AWS CLI:
Step 1: To list out your DB instances in your particular region.
aws rds describe-db-instances --region < give your region>
Step 2: To determine the retention period for your instance automated backups
aws rds describe-db-instances --region <give your region> --db-instance-identifier < DB identifier> -- query 'DBInstances[*].BackupRetentionPeriod'
if the above command returns 0(zero) it means the Automated Backups feature is not enabled.
Implementation Steps:
Step 1: Log in to the AWS Console and go to the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 2: Click on Databases in the left navigation pane
Step 3: Select RDS instance which you want to enable retention or Auto-backup and
Step 4: Select Modify button
Step 5: Scroll down and go to Backup below backup Backup Retention Period here it 0 because Auto Backup is disabled so we select the day from the list-menu
Note: Maximum days you select 35 days
and give the start time and duration
Step 6: Click on the Continue button
Step 7: Below the summary of modifications select any one option to Schedule modifications (1. Apply during the next scheduled maintenance window and 2. Apply immediately) here we choose to Apply immediately and click on Modify DB instance button
Using AWS CLI
To enable automated backup using retention period
aws rds modify-db-instance --db-instance-identifier <mydbinstance> --backup-retention-period <give period 1-35> --apply-immediately
Backout Plan
To disable automated backups immediately
Step 1: Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
Step 2: Click on Databases in the left navigation pane
Step 3: Select the RDS instance which disables retention or Auto-backup.
Step 4:Choose Modify. The Modify DB instance page appears
Step 5: For the Backup retention period, choose 0 days
Step 6: Click on the Continue button
Step 7: Choose Apply immediately.
On the confirmation page, choose Modify DB instance to save your changes and disable automated backups.
Using AWS CLI
To disable automated backup
aws rds modify-db-instance --db-instance-identifier mydbinstance --backup-retention-period 0 --apply-immediately
To Delete retained automated backups
Step 1: Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
Step 2:In the navigation pane, choose Automated backups
Step 3: On the Retained tab, choose the retained automated backup that you want to delete.
Step 4: For Actions, choose Delete.
Step 5: On the confirmation page, enter delete me and choose Delete.
Using AWS CLI
To delete automated backup by using the AWS CLI command
aws rds delete-db-instance-automated-backup --dbi-resource-id <db-123ABCEXAMPLE>