Rule: RDS DB Instance Should Be Protected by Backup Plan
This rule ensures that RDS DB instances have a backup plan in place.
| Rule | RDS DB instance should be protected by backup plan |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
RDS DB Instance Backup Plan for FedRAMP Moderate Revision 4
Overview
Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4 requires that all data systems, including Amazon RDS instances, have robust backup strategies to protect against data loss. This ensures business continuity, data durability, and compliance with federal security standards. Implementing a backup plan for your RDS DB instance involves configuring automated backups, setting retention periods, and ensuring that the backups are encrypted.
Backup Configuration
Enabling Automated Backups
Enabling automated backups for your RDS DB instance is critical for compliance with FedRAMP Moderate standards. Automated backups create recovery points that you can use to restore your database in the event of a data loss incident.
Steps to Enable Automated Backups:
- 1.Sign in to the AWS Management Console and open the Amazon RDS console.
- 2.Choose the RDS instance you want to configure backups for.
- 3.Under the 'Instance Actions' menu, click 'Modify'.
- 4.In the 'Backup' section, set 'Backup Retention Period' to a value between 1 and 35 days. According to FedRAMP, the chosen period must align with organizational backup policies while considering the Moderate impact level.
- 5.Ensure 'Enable Automated Backups' is turned on.
- 6.Scroll down and click 'Continue' and then 'Modify DB Instance' on the next page.
# AWS CLI command to modify RDS instance backup configuration aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --backup-retention-period 30 \ --preferred-backup-window 00:00-03:00 \ --apply-immediately
Using the above CLI command, replace
mydbinstance3000:00-03:00Backup Encryption
To comply with FedRAMP Moderate requirements, the backups must be encrypted. Amazon RDS supports encryption-at-rest by using AWS Key Management Service (AWS KMS) to manage the encryption keys.
Steps to Enable Backup Encryption:
- 1.Follow the steps to navigate to the 'Modify' page of your DB instance as above.
- 2.In the 'Backup' section, locate the 'Backup Encryption' setting.
- 3.Select 'Enable Encryption' and choose the encryption key to use (you may use the default aws/rds key or create a new one).
- 4.Click 'Continue' and follow through to modify the instance.
# AWS CLI command to enable encryption for RDS backups aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --storage-encrypted \ --kms-key-id mykmskey \ --apply-immediately
Substitute
mydbinstancemykmskeyValidation and Monitoring
Ensuring Backup Compliance
- 1.Use the AWS Management Console or CLI to confirm your backup settings.
- 2.Utilize AWS CloudTrail to audit any changes to the backup configurations.
- 3.Implement AWS Config rules to continuously monitor and record the compliance status of your RDS DB instances.
Troubleshooting
Common Issues
- 1.Automated Backups Not Occurring: Ensure that the backup window is correctly defined and does not clash with the maintenance window.
- 2.Backups Failing: Check for insufficient storage space and increase if needed.
- 3.Encryption Errors: Ensure the KMS key is available, not disabled, or scheduled for deletion.
Remediation
- Review instance logs for backup-related errors.
- Validate that the instance has proper IAM permissions for KMS operations.
- Adjust backup retention and window settings if they are conflicting with other operations.
Conclusion
By following the steps outlined above, your RDS DB instance will be protected by an appropriate backup plan compliant with FedRAMP Moderate Revision 4. Constant monitoring and validation are recommended to maintain compliance and data protection.