iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon RDS provides automated backups and the ability to create manual snapshots for data protection and disaster recovery. Automated backups include daily snapshots of the database and the transaction logs, allowing point-in-time recovery (PITR) for up to 35 days. Ensuring that RDS instances are protected by a backup plan, including both automated backups and manual snapshots, helps safeguard your data and ensures compliance with disaster recovery practices. This SOP ensures that RDS instances are configured with automated backups and snapshot management.

Rationale:

• Disaster Recovery: Having a backup plan ensures that your data is protected against failures, deletions, or corruption. It enables you to restore the database to a specific point in time.

• Business Continuity: Regular automated backups and manual snapshots reduce the impact of database failures, helping you meet business continuity requirements.

• Compliance: Many regulatory frameworks require data protection measures such as regular backups, which are essential for compliance with standards such as PCI-DSS, SOC 2, and HIPAA.

• Operational Efficiency: RDS backups automate the snapshot process and simplify database recovery

Impact:

Pros:

• Data Protection: Automated backups and manual snapshots ensure that your data is recoverable.

• Point-in-Time Recovery: You can restore data to a specific point in time, minimizing data loss in case of an incident.

• Simplified Disaster Recovery: Reduces the complexity of setting up and managing backups, allowing you to focus on other operational concerns.

Cons:

• Cost: Storing backups and snapshots consumes storage space, which may lead to additional costs.

• Performance Impact: There could be a slight performance overhead during backup operations, especially for large databases.

Default Value:

By default, automated backups are enabled for RDS instances with a 7-day retention period. Manual snapshots are not created by default and need to be configured or created manually.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeDBInstances

  • rds:DescribeDBSnapshots

  • rds:CreateDBSnapshot

• AWS CLI installed and configured.

• Ensure that RDS instance and IAM role permissions are in place to access and manage backup configurations.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Databases.

4. Select the RDS instance you want to check.

5. In the Configuration tab, under the Backup section:

   • Automated Backups: Check if Automated Backups are enabled and review the Backup Retention Period.

   • Manual Snapshots: Verify if manual snapshots are created for the RDS instance under the Snapshots section.

   • Ensure that Automated Backups are enabled and have an appropriate retention period (e.g., 7 days or more).

6. If Automated Backups are not enabled, enable them during the modification process.

Using AWS CLI:

1. To check if automated backups are enabled for an RDS instance, run:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'

2. Review the output:
   

• If BackupRetentionPeriod is greater than 0, the backup plan is configured.

• If BackupRetentionPeriod is 0, automated backups are not enabled.

3. To check if manual snapshots are present, run:
   

   aws rds describe-db-snapshots --db-instance-identifier <db-instance-id> --query 'DBSnapshots[*].{SnapshotId:SnapshotId,SnapshotType:SnapshotType}'

4. If manual snapshots are not listed, you should consider creating them.

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. In the RDS Dashboard, select Databases and choose the RDS instance for which you want to enable the backup plan.

3. Click Modify.

4. Under the Backup section, ensure that Automated Backups are enabled, and set the desired Backup Retention Period (e.g., 7 days or more).

5. If necessary, create manual snapshots for the instance by selecting Snapshots and clicking Take Snapshot.

6. Click Continue, then Apply Changes.

Using AWS CLI:

1. To enable automated backups for an RDS instance, run:
   

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --backup-retention-period <desired-retention-period> --apply-immediately

2. To create a manual snapshot, run:
   

   aws rds create-db-snapshot --db-instance-identifier <db-instance-id> --db-snapshot-identifier <snapshot-id>

3. Verify that Automated Backups are enabled by running:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'

Backout Plan:

Using AWS Console:

1. If enabling automated backups causes issues, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select the DB instance, and click Modify.

3. Set the Backup retention period to 0 (zero) to disable automated backups.

4. Save the changes and verify that backups are no longer being created.

Using AWS CLI:

1. To disable automated backups, run the following command:
   

   aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --backup-retention-period 0 --apply-immediately

2. Verify that automated backups have been disabled:
   

   aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

• Amazon RDS Documentation: Backup and Restore

• AWS CLI: describe-db-instances

• AWS CLI: modify-db-instance

• AWS CLI: create-db-snapshot

CIS Controls Mapping: