Profile Applicability:

  • Level 1

Description:

Amazon DocumentDB clusters can be deployed with Multi-AZ (Availability Zone) for high availability and fault tolerance. Multi-AZ deployments automatically replicate data across multiple availability zones (AZs), ensuring that your database remains available and resilient to infrastructure failures in a single AZ. This SOP ensures that DocumentDB clusters are configured to use Multi-AZ to protect data and maintain application uptime during AZ failures.

Rationale:

  • High Availability: By enabling Multi-AZ, the DocumentDB cluster automatically handles failover between AZs in the event of an AZ failure, minimizing downtime and improving application reliability.

  • Fault Tolerance: Ensures that your data remains available even if one AZ goes down.

  • Data Durability: Replicates data to a secondary AZ, providing additional protection against data loss.

  • Compliance: Multi-AZ deployments help ensure that you meet uptime and availability requirements of various compliance standards like SOC 2, PCI-DSS, and HIPAA.

Impact:

Pros:

  • Improved Uptime: Ensures high availability for your DocumentDB clusters.

  • Automatic Failover: In the event of an AZ failure, Multi-AZ deployments automatically promote the standby instance, minimizing downtime.

  • Disaster Recovery: Protects against data loss and ensures business continuity during infrastructure failures.

  • Regulatory Compliance: Meets the availability and resiliency requirements of various regulatory frameworks.

Cons:

  • Cost: Multi-AZ deployments increase costs because you need to run two instances, one for the primary and one for the standby.

  • Performance Overhead: Slight performance overhead due to data replication across AZs, although this is generally minimal.

Default Value:

By default, DocumentDB clusters are single-AZ. Multi-AZ deployment must be explicitly configured during cluster creation or modified afterward.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

  • AWS CLI installed and configured.

  • Ensure that the DocumentDB instance and IAM role permissions are in place to access and modify Multi-AZ configurations.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB under Services.

  3. In the DocumentDB Dashboard, go to Clusters.

  4. Select the DocumentDB cluster you want to check.

  5. In the Configuration tab, check the Availability Zone settings:

    • If Multi-AZ is enabled, the cluster will show Multi-AZ in the Availability Zone section.

    • If Multi-AZ is not enabled, the cluster will be running in a single AZ.

Using AWS CLI:

  1. To check if Multi-AZ is enabled for a DocumentDB cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,MultiAZ:MultiAZ}'

  2. Review the output:

  • If MultiAZ is true, the cluster is deployed across multiple AZs.

  • If MultiAZ is false, the cluster is in a single AZ.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon DocumentDB.

  2. In the DocumentDB Dashboard, select Clusters and choose the DocumentDB cluster for which you want to enable Multi-AZ.

  3. Click Modify.

  4. Under the Availability & Durability section, enable Multi-AZ.

  5. Click Continue, then Apply Changes.

  6. Ensure the new Multi-AZ setting is applied after the changes.

Using AWS CLI:

  1. To enable Multi-AZ for an existing DocumentDB cluster, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <db-cluster-id> --multi-az --apply-immediately

  2. Verify the Multi-AZ setting is applied by running:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,MultiAZ:MultiAZ}'

Backout Plan:

Using AWS Console:

  1. If enabling Multi-AZ causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB, select the cluster, and click Modify.

  3. Disable Multi-AZ and save the changes.

  4. Monitor the cluster to ensure that it returns to a single-AZ deployment.

Using AWS CLI:

  1. To disable Multi-AZ, run the following command:

    aws docdb modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --no-multi-az --apply-immediately

  2. Verify that the Multi-AZ setting has been disabled:

    aws docdb describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.