Profile Applicability

  • Level 1

Description:

Amazon Relational Database Service (RDS) Multi-AZ deployments provide enhanced availability, fault tolerance, and automated backups for Amazon RDS instances. When Multi-AZ deployments are enabled, Amazon RDS automatically provisions a synchronous standby replica in a different Availability Zone (AZ) to maintain data redundancy and ensure high availability.

By enabling Multi-AZ deployments for Amazon RDS, organizations can ensure that their database systems remain operational in the event of an Availability Zone failure, reducing the risk of downtime and service interruptions.

Rationale:

Enabling Multi-AZ deployments in Amazon RDS provides the following benefits:

  • High availability: Ensures that the RDS instance remains available in case of an AZ failure, reducing downtime and improving reliability.

  • Automated failover: In the event of an AZ failure, Amazon RDS automatically promotes the standby replica to the primary database to maintain availability.

  • Improved data durability: Data is synchronously replicated to the standby instance in a different AZ, ensuring high durability and fault tolerance.

  • Compliance: Helps meet compliance requirements for highly available database systems.

Without Multi-AZ deployments, databases are vulnerable to disruptions in availability, which can lead to downtime and potential data loss.

Impact:

Failure to enable Multi-AZ deployments can result in:

  • Reduced availability: Single-AZ deployments are vulnerable to AZ failures, resulting in potential database downtime.

  • Increased risk of service interruptions: Lack of automatic failover can lead to longer recovery times in the event of failure.

  • Non-compliance with regulatory or operational requirements for high availability.

Enabling Multi-AZ deployments ensures that RDS instances are highly available and fault-tolerant, reducing the risk of downtime and improving database resilience.

Default Value:

By default, Amazon RDS instances are not created with Multi-AZ deployments. Multi-AZ must be explicitly enabled during the database instance creation or by modifying the instance configuration.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

  • Amazon RDS instance should be running and available for configuration

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the RDS Console.

  2. Navigate to the Databases section and select the RDS instance to verify if Multi-AZ deployment is enabled.

  3. In the Connectivity & security section, confirm that Multi-AZ deployment is set to Yes.

Using AWS CLI :

aws rds describe-db-instances --query "DBInstances[?MultiAZ==`true`].{DBInstanceIdentifier:DBInstanceIdentifier,MultiAZ:MultiAZ}" --output table

Implementation Plan:

Using AWS Console:

  1. Enable Multi-AZ deployment for RDS instance:

    • Go to the RDS Console.

    • Select the RDS instance that you want to configure for Multi-AZ.

    • In the Modify DB Instance screen, under the Availability & durability section, select Create a standby DB instance to enable Multi-AZ.

    • Save changes to apply Multi-AZ deployment.

  2. Verify Multi-AZ deployment:

    • In the RDS Console, check the Connectivity & security section of the instance details to ensure that Multi-AZ is enabled.

Using AWS CLI:

  1. Enable Multi-AZ for an RDS instance:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --multi-az --apply-immediately

  1. Verify Multi-AZ status:

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<db-instance-id>'].{DBInstanceIdentifier:DBInstanceIdentifier,MultiAZ:MultiAZ}" --output table

Backout Plan:

Using AWS Console:

  1. If Multi-AZ deployment causes performance issues:

    • Go to the RDS Console.

    • Modify the RDS instance to disable Multi-AZ deployment by selecting No under Multi-AZ deployment during the instance modification process.

    • Apply the changes to revert the instance to a single-AZ configuration.

  2. Adjust database instance configurations if the issue is related to specific AZ performance or availability.

Using AWS CLI:

  1. Temporarily disable Multi-AZ deployment:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --multi-az false --apply-immediately

  1. Stop RDS instance modification if performance issues are encountered:

aws rds stop-db-instance --db-instance-identifier <db-instance-id>

  1. Re-enable Multi-AZ deployment once issues are resolved:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --multi-az --apply-immediately

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services