Rule: RDS DB Instance Backup Should Be Enabled
This rule ensures that RDS DB instance backup is enabled for data security and recovery purposes.
| Rule | RDS DB instance backup should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
RDS DB Instance Backup for CISA Cyber Essentials
Description
Enabling RDS DB instance backup for CISA-Cyber Essentials is a best practice that helps ensure the availability and recoverability of databases hosted in Amazon Relational Database Service (RDS). Taking regular backups is crucial for meeting the backup and recovery objectives of the CISA Cyber Essentials framework.
Troubleshooting Steps
If RDS DB instance backup is not enabled for CISA-Cyber Essentials, the following troubleshooting steps can be taken:
- 1.Verify RDS Instance Backup Status: Check the current backup status of the RDS instance. If backups are already enabled, ensure that they are being taken according to the desired schedule.
- 2.Review IAM Permissions: Ensure that the IAM user or role associated with the RDS instance has the necessary permissions to enable and manage backups. If required permissions are missing, update the IAM policy accordingly.
- 3.Check Automatic Backup Configuration: Review the automatic backup configuration for the RDS instance. Ensure that automated backups are enabled and confirm the backup retention period aligns with the desired backup strategy.
- 4.Verify Storage Space: Make sure that there is sufficient storage space available to store the backups. If needed, increase the allocated storage size for the RDS instance.
- 5.Access Control: Confirm that the appropriate security groups and network ACLs are configured to allow backup operations.
Necessary Codes (AWS CLI)
To enable RDS DB instance backup for CISA-Cyber Essentials, use the following AWS CLI command:
aws rds modify-db-instance \ --db-instance-identifier <instance-identifier> \ --backup-retention-period <retention-period> \ --apply-immediately
Replace
<instance-identifier><retention-period>To verify the current backup configuration, use the following command:
aws rds describe-db-instances --db-instance-identifier <instance-identifier> --query 'DBInstances[*].BackupRetentionPeriod'
Step-by-Step Guide
Follow the steps below to enable RDS DB instance backup for CISA-Cyber Essentials:
- 1.Identify the RDS Instance: Identify the RDS instance for which you want to enable backups.
- 2.Verify Backup Status: Check if backups are already enabled for the identified RDS instance.
- 3.Modify Backup Configuration: If backups are not enabled, use the AWS CLI command mentioned above to modify the backup retention period and apply the changes immediately.
- 4.Confirm Backup Configuration: Use the describe command provided above to verify the updated backup configuration.
- 5.Validate Backup Schedule: Ensure that backups are created as per the desired schedule.
- 6.Monitor Backup Storage: Regularly monitor the storage usage of backups to avoid potential storage-related issues.
By following these steps, you can effectively enable RDS DB instance backup for CISA-Cyber Essentials, ensuring that your RDS databases are protected and comply with the recommended best practices.