Rule: RDS DB Instance Backup Should Be Enabled
Ensure that RDS DB instance backup is enabled to comply with Contingency Planning (CP) standards.
| Rule | RDS DB instance backup should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Ensuring RDS DB Instance Backup is Enabled for FedRAMP Moderate Revision 4
Overview
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Compliance with FedRAMP Moderate Revision 4 means adhering to a set of controls that ensure moderate-level confidentiality, integrity, and availability of data.
Enabling backups for your Amazon RDS (Relational Database Service) instances is a crucial part of maintaining data integrity and availability. It complies with FedRAMP security requirements and enables you to recover your databases in case of data loss.
Policy Details
Within Amazon RDS, automated backups are an essential feature for recovery purposes. The RDS backup capability helps meet the FedRAMP Moderate Revision 4 control requirements by ensuring that:
- Backups are performed regularly.
- Backup data is encrypted at rest using approved cryptographic methods.
- Backup data is retained for a specified period and can be used to restore the database.
The policy mandates that RDS automated backups should be turned on with an appropriate retention period, typically 7 days for FedRAMP Moderate controls.
Troubleshooting Steps
If your RDS instance is not backing up as expected, here are some troubleshooting steps:
- 1.
Check the backup settings of your RDS instance.
- 2.
Ensure that the RDS instance has the appropriate IAM permissions to perform backups.
- 3.
Verify that your backup retention period is set according to policy requirements.
- 4.
Confirm that encryption is enabled for the backups.
Necessary Commands
1. Check backup settings using the AWS CLI:
aws rds describe-db-instances --db-instance-identifier your-instance-id --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,BackupRetentionPeriod:BackupRetentionPeriod}'
2. Modify RDS instance to enable backups:
aws rds modify-db-instance --db-instance-identifier your-instance-id --backup-retention-period 7 --apply-immediately
3. Check encryption status:
aws rds describe-db-instances --db-instance-identifier your-instance-id --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,StorageEncrypted:StorageEncrypted}'
Remediation Steps
If your RDS instance is not in compliance with the backup policy, here's how to enable and configure backups:
- 1.
Log into the AWS Management Console.
- 2.
Navigate to the RDS dashboard and select the instance.
- 3.
Under Instance Actions, select Modify.
- 4.
In the Backup section, set the Backup Retention Period to the desired amount of days (e.g., 7 for FedRAMP Moderate).
- 5.
Ensure that Enable Encryption is checked and select the appropriate KMS key.
- 6.
Choose Apply Immediately to enable backups right away.
- 7.
Click Continue and then Modify DB Instance to apply the changes.
Following this guide will help ensure that your RDS instances comply with FedRAMP Moderate Revision 4 backup requirements, keep your data secure, and provide you with the necessary tools to recover your databases if needed.