Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS Aurora clusters should be protected by backup plan

This rule states that RDS Aurora clusters must have a backup plan in place to ensure data protection in case of emergencies.

RuleRDS Aurora clusters should be protected by backup plan
FrameworkFedRAMP Moderate Revision 4
Severity
Medium

Ensure RDS Aurora Clusters are Protected by a Backup Plan for FedRAMP Moderate Revision 4

Amazon RDS Aurora clusters must be configured with a robust backup plan to comply with the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4 requirements. This backup strategy is critical in maintaining data integrity, availability, and enabling disaster recovery.

Rule Description

The backup plan should encompass regularly scheduled snapshots, retention policies, and the ability to restore data at any time. For FedRAMP Moderate compliance, it must meet or exceed specified backup frequency and retention period requirements.

Backup Configuration Steps

Enabling Automatic Snapshots

  1. 1.
    Navigate to the RDS console.
  2. 2.
    Select your Aurora cluster.
  3. 3.
    Click on
    Instance Actions
    , then select
    Modify
    .
  4. 4.
    Ensure that
    Backup Retention Period
    is set to at least one day (the FedRAMP Moderate requirement is typically seven days).
  5. 5.
    Enable
    Copy Tags to Snapshots
    if necessary to ensure snapshots are appropriately labeled.

Manual Snapshots

While automated snapshots are vital, manual snapshots can be taken as well.

aws rds create-db-cluster-snapshot \
  --db-cluster-snapshot-identifier my-manual-snapshot \
  --db-cluster-identifier my-cluster

Replace

my-manual-snapshot
with your desired snapshot name and
my-cluster
with the identifier of your Aurora cluster.

Backup Retention Policy

  1. 1.
    Log into AWS RDS Console.
  2. 2.
    Select the Aurora Cluster.
  3. 3.
    Modify the cluster's settings to set the
    Backup Retention Period
    to the required duration.
  4. 4.
    Apply changes immediately if necessary or schedule the changes during the next maintenance window.

Disaster Recovery Preparedness

To assure data recoverability, regularly test the backup by restoring the snapshot to a new DB instance.

aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier my-new-cluster \
  --snapshot-identifier my-snapshot-name

Troubleshooting Backup Issues

  • Snapshots Not Occurring: Check IAM roles and permissions, network configurations, and if the instance is in the
    available
    state.
  • Retention Policy Not Met: Ensure that the retention period meets the FedRAMP Moderate requirements and review the snapshot window.
  • Failure to Restore: Inspect the snapshot’s integrity, the security group settings, parameter groups, and the AWS KMS key policies if the snapshots are encrypted.

Remediation Steps

  • Update backup retention settings on existing clusters.
  • Establish alarms or monitoring tools like AWS Config to assess compliance with the backup policy.
  • Regularly review and test backup and restore procedures.

CLI Commands for Remediation

Update the Backup Retention Period

aws rds modify-db-cluster \
  --db-cluster-identifier my-cluster \
  --backup-retention-period 7 \
  --apply-immediately

Schedule a New Snapshot

aws rds create-db-cluster-snapshot \
  --db-cluster-snapshot-identifier my-scheduled-snapshot \
  --db-cluster-identifier my-cluster

Restore a DB Cluster from Snapshot

aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier my-restored-cluster \
  --snapshot-identifier my-scheduled-snapshot

Maintaining backups of RDS Aurora clusters and regularly verifying that they comply with FedRAMP Moderate requirements is not only essential for data integrity but also vital for meeting regulatory standards. Adhering to these guidelines will minimize the risk of data loss and ensure that RDS Aurora clusters are well-protected with a robust backup plan.

Is your System Free of Underlying Vulnerabilities?
Find Out Now