Profile Applicability:

  • Level 1

Description:

Amazon DocumentDB automatically creates backups of your clusters by enabling automated backups. These backups are crucial for disaster recovery and business continuity. Backup settings can be configured for DocumentDB clusters to retain data in case of failure or accidental data loss. This SOP ensures that DocumentDB clusters have backup enabled and are configured to meet the backup retention requirements for business continuity.

Rationale:

  • Data Recovery: Automated backups ensure that you can restore your DocumentDB clusters in the event of a failure, data corruption, or accidental deletion.

  • Business Continuity: Backups allow for seamless recovery, minimizing downtime and ensuring the availability of critical data.

  • Compliance: Many regulatory frameworks, such as HIPAA and PCI-DSS, require proper backup and retention of data to meet compliance standards.

Impact:

Pros:

  • Data Protection: Ensures that your data is protected and can be restored in the event of loss or failure.

  • Disaster Recovery: Enables the recovery of DocumentDB clusters to a point-in-time in case of issues, helping to prevent data loss.

  • Compliance: Helps meet the backup and data retention requirements of compliance standards.

Cons:

  • Cost: Storing backups for extended periods increases costs due to storage usage.

  • Performance Overhead: The backup process may introduce a slight performance overhead, though this impact is typically minimal for most applications.

Default Value:

By default, DocumentDB clusters have automated backups enabled with a retention period of 7 days. The backup retention period can be modified, but backups must be enabled during cluster creation.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • rds:DescribeDBSnapshots

  • AWS CLI installed and configured.

  • Ensure you have permissions to access and manage DocumentDB backups.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB under Services.

  3. In the DocumentDB Dashboard, go to Clusters.

  4. Select the DocumentDB cluster you want to check.

  5. In the Configuration tab, check the Backup section:

    • If backup is enabled, it will show the Backup Retention Period.

    • If backup is not enabled, you will need to enable it during cluster modification.

Using AWS CLI:

  1. To check if backups are enabled for a DocumentDB cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'

  2. Review the output:

  • If BackupRetentionPeriod is greater than 0, backups are enabled for the cluster.

  • If BackupRetentionPeriod is 0, backups are not enabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon DocumentDB.

  2. In the DocumentDB Dashboard, select Clusters and choose the DocumentDB cluster you want to enable backups for.

  3. Click Modify.

  4. Under the Backup section, ensure that the Backup Retention Period is set to a value greater than 0.

  5. Optionally, configure the backup retention period to meet your requirements.

  6. Click Continue, then Apply Changes to save the backup configuration.

Using AWS CLI:

  1. To enable backups for an existing DocumentDB cluster (if disabled), run:

    aws rds modify-db-cluster --db-cluster-identifier <db-cluster-id> --backup-retention-period <retention-period> --apply-immediately

  2. To verify that backups are enabled, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'

Backout Plan:

Using AWS Console:

  1. If enabling backups causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB, select the cluster, and click Modify.

  3. Reduce the Backup retention period or revert the changes to the backup settings.

  4. Save the changes and monitor the cluster to ensure that backup functionality works as expected.

Using AWS CLI:

  1. To revert the backup retention period, run the following command:

    aws docdb modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --backup-retention-period <NEW_RETENTION_PERIOD> --apply-immediately

  2. Verify that the backup settings have been updated:

    aws docdb describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.