Profile Applicability 

  • Level 2

Description

Enabling Multi-AZ for AWS Database Migration Service (DMS) instances ensures high availability and fault tolerance for your database migration tasks. With Multi-AZ enabled, a secondary replication instance is automatically created in a different Availability Zone to provide failover support in the event of a disruption to the primary instance.

Rationale

  • Improved Fault Tolerance: Provides a standby replication instance in a separate Availability Zone to maintain migration continuity.

  • Enhanced Availability: Reduces the risk of downtime by ensuring that DMS tasks can continue without manual intervention in the event of a failure.

  • Compliance: Aligns with best practices for high availability and disaster recovery.

Impact

Pros:

  • Ensures seamless failover during outages or disruptions.

  • Enhances system reliability and minimizes downtime.

  • Supports compliance with high availability requirements.

Cons:

  • May increase costs due to the creation and maintenance of a secondary instance.

  • Requires sufficient planning to configure and manage Multi-AZ instances.

Default Value

By default, Multi-AZ is disabled for DMS replication instances. It must be explicitly enabled during instance creation or modification.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeReplicationInstances

  • dms:ModifyReplicationInstance

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Replication Instances.

  3. For each replication instance, check the Multi-AZ field under the instance configuration. Ensure it is set to Yes.

Using AWS CLI:

  1. Describe the replication instance:

    aws dms describe-replication-instances --filters Name=replication-instance-id,Values=<instance-id>

  2. Verify the MultiAZ field in the output. Ensure it is set to true.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Replication Instances.

  2. Select the replication instance to update.

  3. Click Modify and enable Multi-AZ Deployment.

  4. Save the changes.

Using AWS CLI:

  1. Enable Multi-AZ for the replication instance:

    aws dms modify-replication-instance \
--replication-instance-arn <instance-arn> \
--multi-az

  1. Verify the updated configuration:

    aws dms describe-replication-instances --filters Name=replication-instance-id,Values=<instance-id>

Backout Plan

Using AWS Console:

  1. If enabling Multi-AZ causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the replication instance, and go to the Modify settings.

  3. Disable Multi-AZ by selecting No.

  4. Save the changes and confirm that the instance is now operating in a single Availability Zone.

Using AWS CLI:

  1. To disable Multi-AZ, run:

    aws dms modify-replication-instance --replication-instance-arn <REPLICATION_INSTANCE_ARN> --multi-az false

  2. Verify that Multi-AZ has been disabled:

    aws dms describe-replication-instances --replication-instance-arn <REPLICATION_INSTANCE_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.