Profile Applicability:

  • Level 1

Description:

Amazon RDS offers automated backups for DB instances, which are critical for disaster recovery and ensuring data durability. The backup plan includes both automated backups and manual snapshots, with a retention period. This SOP ensures that RDS clusters are configured with a proper backup plan, including automated backups and manual snapshots, to protect data and support recovery in case of failure.

Rationale:

  • Data Protection: RDS backups ensure that the data in the cluster is recoverable in case of failure or accidental deletion.

  • Disaster Recovery: Regular backups are crucial for disaster recovery. Having a backup plan helps ensure business continuity and minimizes downtime during unforeseen events.

  • Compliance: Many compliance frameworks (e.g., PCI-DSS, SOC 2, HIPAA) require a proper backup strategy to protect sensitive data, including regular backups and secure storage.

Impact:

Pros:

  • Reliable Data Recovery: Ensures that RDS data is recoverable and protected from data loss due to failure or corruption.

  • Minimized Downtime: In case of failure, automated backups allow for quick recovery with minimal downtime.

  • Compliance: Helps meet regulatory requirements for data protection and disaster recovery.

Cons:

  • Storage Costs: Storing backups, especially long retention periods or large amounts of data, may increase costs.

  • Backup Performance Impact: Backups can impact the performance of RDS instances, especially during large backups.

Default Value:

By default, automated backups are enabled with a 7-day retention period for RDS instances. If not configured with a backup plan, the database will only have the default backup retention, and manual snapshots will not be created.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:DescribeDBInstances

    • rds:ModifyDBCluster

    • rds:CreateDBSnapshot

  • AWS CLI installed and configured.

  • Ensure RDS cluster and IAM permissions are properly configured to manage and monitor backup settings.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases.

  4. Select the RDS cluster for which you want to check the backup plan.

  5. In the Configuration tab, under the Backup section:

    • Check if Automated Backups are enabled.

    • Verify the Backup Retention Period. Ensure it is configured with an appropriate retention period (e.g., 7 days or more, depending on your data protection strategy).

    • If Automated Backups is not enabled or the retention period is too short, the cluster is not properly protected by a backup plan.

  6. Check if manual snapshots have been created for the cluster. You can find this under Snapshots in the RDS Console.

Using AWS CLI:

  1. To check if automated backups are enabled for an RDS cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'

  2. Review the output:

  • BackupRetentionPeriod should be greater than 0 days for a valid backup plan.

  1. To check if manual snapshots are present, run:

    aws rds describe-db-snapshots --db-cluster-identifier <db-cluster-id> --query 'DBSnapshots[*].{SnapshotId:SnapshotId,SnapshotType:SnapshotType}

  2. If no snapshots are listed, it means manual snapshots haven’t been created.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS cluster.

  3. In the Configuration tab, check the Backup section to verify if Automated Backups are enabled with an adequate Backup Retention Period.

  4. If Automated Backups is not enabled, click Modify and enable it with the appropriate retention period (e.g., 7 days or more).

  5. Ensure that manual snapshots are taken regularly for the RDS cluster. Create one if necessary by selecting Snapshots and clicking Take Snapshot.

Using AWS CLI:

  1. To verify if automated backups are configured correctly for an RDS cluster, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'

  2. If BackupRetentionPeriod is 0 or if automated backups are not enabled, run:

    aws rds modify-db-cluster --db-cluster-identifier <db-cluster-id> --backup-retention-period <desired-retention-period> --apply-immediately

  3. To check if manual snapshots exist, run:

    aws rds describe-db-snapshots --db-cluster-identifier <db-cluster-id> --query 'DBSnapshots[*].{SnapshotId:SnapshotId,SnapshotType:SnapshotType}

Backout Plan:

Using AWS Console:

  1. If enabling automated backups or configuring the backup plan causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Set the Backup retention period to 0 (zero) to disable automated backups if needed.

  4. Save the changes and verify that automated backups are no longer being created.

Using AWS CLI:

  1. To disable automated backups, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --backup-retention-period 0 --apply-immediately

  2. Verify that automated backups have been disabled:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.