Description:
RDS is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. The policy checks if RDS storage service has controlled access and its backup schedules are configured.
Rational:
RDS saves the automated backups of your DB instance according to the backup retention period that you specify. If necessary, you can recover your database to any point in time during the backup retention period.
Impact:
Amazon RDS creates and saves automated backups of your DB instance during the backup window of your DB instance. RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases.
Default value:
If you don't set the backup retention period, the default backup retention period is one day if you create the DB instance using the Amazon RDS API or the AWS CLI. The default backup retention period is seven days if you create the DB instance using the console.
Audit:
Sign in to AWS Management console
Navigate to the RDS console at https://console.aws.amazon.com/rds/.
Click on the Databases in the left navigation pane
- Click on the database that you want to examine
- Select the Maintenance & backups tab and go to the Backup section
- There you can check the backup is enabled or not.
If the current status is set to Disabled, follow the implementation steps to enable.
Remediation:
Pre-requisites:
Sign in as admin or IAM user with required permissions
DB instance must be in the AVAILABLE state
Implementation Steps:
Sign in to the AWS Management Console
Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
Click on Databases in the navigation pane
Select the DB instance that you want to edit and click on Modify
- The Modify DB Instance page appears, go to the Backup section under Additional settings.
- Check the Enable Automated Backups checkBox and set the Backup Retention period. You can set the backup retention period to between 0 and 35 days.
Click on continue
In the Scheduling of modifications section, perform one of the following actions based on your requirements:
Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
Select Apply immediately to apply the changes right away.
Click on Modify DB Instance
Via CLI:
aws rds modify-db-instance \
--db-instance-identifier mydbinstance \
--backup-retention-period 3 \
--apply-immediately
Backout plan:
To delete a retained automated backup
Sign in to the AWS Management Console
open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the navigation pane, choose Automated backups.
On the Retained tab, choose the retained automated backup that you want to delete.
From Actions, choose Delete.
On the confirmation page, enter delete me and choose Delete.
Reference: