Profile Applicability:

  • Level 1

Description:

Amazon RDS (Relational Database Service) offers Multi-AZ (Availability Zone) deployments for database instances to enhance availability, fault tolerance, and disaster recovery. When Multi-AZ is enabled, RDS automatically creates a synchronous standby replica in a different Availability Zone (AZ) from the primary instance. This setup ensures high availability and automatic failover in case of planned maintenance, unplanned failures, or disasters.

This SOP ensures that RDS clusters are configured with Multi-AZ deployments to improve database availability, minimize downtime, and enhance data durability.

Rationale:

  • High Availability: Multi-AZ deployments ensure that RDS instances are always available even in case of failure in one Availability Zone, as traffic will automatically failover to the standby replica in another AZ.

  • Improved Durability: Provides disaster recovery capabilities by replicating data across different physical locations within the region.

  • Seamless Failover: In the event of a failure, RDS automatically switches to the standby instance, reducing the need for manual intervention.

  • Compliance: Many compliance frameworks (such as PCI-DSS, SOC 2, HIPAA) require high availability configurations to ensure uninterrupted service and data protection.

Impact:

Pros:

  • Improved Uptime: Ensures higher uptime and availability, minimizing the impact of hardware failures or maintenance events.

  • Fault Tolerance: Data is automatically replicated across multiple AZs, providing built-in protection from availability zone failures.

  • Automatic Failover: In case of an issue with the primary instance, RDS automatically fails over to the standby instance, reducing downtime.

  • Disaster Recovery: Provides enhanced protection against regional disasters by ensuring data is replicated across multiple AZs.

Cons:

  • Cost: Multi-AZ deployments incur additional costs as they require provisioning of standby replicas in another AZ.

  • Slight Performance Overhead: The synchronous replication can cause a minor performance overhead, particularly in write-heavy workloads.

Default Value:

By default, RDS clusters are not configured with Multi-AZ enabled. You must explicitly enable this feature when creating or modifying an RDS cluster.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • rds:CreateDBCluster

  • AWS CLI installed and configured.

  • Ensure the RDS instance is compatible with Multi-AZ deployments for the selected database engine (e.g., MySQL, PostgreSQL).

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the RDS cluster you want to check.

  4. In the Configuration tab, under Multi-AZ:

    • If Multi-AZ is enabled, it will show as Yes.

    • If Multi-AZ is disabled, it will show as No.

  5. If Multi-AZ is not enabled, click Modify, and in the Availability & Durability section, check the box for Enable Multi-AZ.

  6. Save the changes and verify that Multi-AZ is now enabled for the RDS cluster.

Using AWS CLI:

  1. To check if Multi-AZ is enabled for an RDS cluster, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,MultiAZ:MultiAZ}'

  2. Review the output:

  • If MultiAZ is true, Multi-AZ is enabled.

  • If MultiAZ is false, Multi-AZ is not enabled.

  1. To enable Multi-AZ for an RDS cluster, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --multi-az --apply-immediately

  2. Verify that Multi-AZ is enabled:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,MultiAZ:MultiAZ}'


Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS cluster for which you want to enable Multi-AZ.

  3. Click Modify.

  4. In the Availability & Durability section, select Enable Multi-AZ.

  5. Click Continue, then Apply Changes to enable Multi-AZ.

Using AWS CLI:

  1. To enable Multi-AZ for an RDS cluster, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --multi-az --apply-immediately

  2. Verify that Multi-AZ is enabled:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,MultiAZ:MultiAZ}'

Backout Plan:

Using AWS Console:

  1. If enabling Multi-AZ causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Uncheck the Multi-AZ option.

  4. Save the changes and verify that Multi-AZ has been disabled.

Using AWS CLI:

  1. To disable Multi-AZ for an RDS cluster, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --no-multi-az --apply-immediately

  2. Verify that Multi-AZ has been disabled:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.