Profile Applicability:

  • Level 2

Description:

Amazon RDS (Relational Database Service) offers the ability to deploy instances in Multi-AZ (Availability Zones), providing enhanced availability, fault tolerance, and disaster recovery. When Multi-AZ is enabled, Amazon RDS automatically creates a synchronous standby replica in a different availability zone (AZ) from the primary instance. This ensures high availability and automatic failover in case of planned maintenance, unplanned outages, or system failures.

This SOP ensures that RDS instances are configured to use Multi-AZ deployments, improving database availability and minimizing downtime.

Rationale:

  • High Availability: Multi-AZ deployments provide automatic failover to the standby replica in case the primary instance fails or requires maintenance.

  • Fault Tolerance: Ensures the database remains accessible even during the failure of an entire availability zone.

  • Disaster Recovery: Multi-AZ deployments enable seamless disaster recovery with minimal downtime and data loss.

  • Compliance: Many compliance frameworks (such as PCI-DSS, SOC 2, HIPAA) require high availability configurations for critical systems like databases.

Impact:

Pros:

  • Improved Uptime: By enabling Multi-AZ, you ensure higher availability with automatic failover to a standby instance in case of failure.

  • Fault Tolerance: The replication across multiple AZs ensures that the data remains available even in case of zone failures.

  • Disaster Recovery: Multi-AZ ensures business continuity by enabling failover to a healthy replica.

  • Compliance: Meets security and compliance standards requiring availability and high fault tolerance.

Cons:

  • Cost: Multi-AZ deployments incur additional costs for the standby instance and the replication between zones.

  • Performance Overhead: While the overhead is typically minimal, synchronous replication introduces some performance cost, especially for write-heavy workloads.

Default Value:

By default, RDS instances are not configured with Multi-AZ deployments. Multi-AZ must be explicitly enabled during instance creation or by modifying the instance later.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

    • rds:CreateDBInstance

  • AWS CLI installed and configured.

  • RDS instance should support Multi-AZ (compatible with the database engine).

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the RDS instance you want to check.

  4. In the Configuration tab, check the Multi-AZ setting:

    • If Multi-AZ is enabled, it will show Yes.

    • If Multi-AZ is not enabled, it will show No.

  5. If Multi-AZ is not enabled, click Modify and under the Availability & Durability section, check Enable Multi-AZ.

  6. Save the changes and verify that Multi-AZ is now enabled for the RDS instance.

Using AWS CLI:

  1. To check if Multi-AZ is enabled for an RDS instance, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, MultiAZ:MultiAZ}'

  2. Review the output:

  • If MultiAZ is true, Multi-AZ is enabled.

  • If MultiAZ is false, Multi-AZ is not enabled.

  1. To enable Multi-AZ for an RDS instance, run:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --multi-az --apply-immediately

  2. Verify that Multi-AZ is enabled:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, MultiAZ:MultiAZ}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS instance for which you want to enable Multi-AZ.

  3. Click Modify.

  4. In the Availability & Durability section, select Enable Multi-AZ.

  5. Click Continue, then Apply Changes to enable Multi-AZ.

Using AWS CLI:

  1. To enable Multi-AZ for an RDS instance, run the following command:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --multi-az --apply-immediately

  2. To verify that Multi-AZ is enabled, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, MultiAZ:MultiAZ}'

Backout Plan:

Using AWS Console:

  1. If enabling Multi-AZ causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Uncheck the Multi-AZ option.

  4. Save the changes and verify that Multi-AZ has been disabled.

Using AWS CLI:

  1. To disable Multi-AZ for an RDS instance, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --no-multi-az --apply-immediately

  2. Verify that Multi-AZ has been disabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.