Rule: RDS DB Instance Backup Should Be Enabled
This rule ensures that the RDS DB instance backup is enabled for data protection and disaster recovery.
| Rule | RDS DB instance backup should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
AWS RDS Backup Compliance per FFIEC Guidelines
The Federal Financial Institutions Examination Council (FFIEC) sets standards for financial institutions that include maintaining secure and reliable backup systems. For databases on AWS RDS, adhering to these guidelines means ensuring that you have automated backups enabled and that these backups are retained for a period appropriate to meet FFIEC requirements.
Automatic Backup Configuration on AWS RDS
Detailed Description:
Amazon RDS automated backups enable point-in-time recovery for your DB instance. Enabling this feature is crucial for compliance and can help protect your databases from accidental deletion or database corruption.
Remediation Steps:
Step 1: Check Backup Configuration
To ensure your RDS instances are compliant, first check the backup settings.
AWS Management Console:
- 1.Navigate to the Amazon RDS Dashboard.
- 2.Select “Instances” to list your RDS instances.
- 3.Click on the DB instance to check its details.
- 4.In the “Details” section, verify that the “Backup” settings are enabled and configured according to the FFIEC guidelines.
AWS CLI:
Run the following command to describe DB instance attributes, including backup settings:
aws rds describe-db-instances --db-instance-identifier <instance-name>
Step 2: Enable and Configure Backups
If backups are not enabled or configured correctly, adjust the settings as follows.
AWS Management Console:
- 1.Select the DB instance and click on the “Modify” button.
- 2.Go down to the “Backup” section.
- 3.Set “Backup retention period” to the required number of days (FFIEC generally requires a minimum of 3 days).
- 4.Enable “Automatic backups” if not already enabled.
- 5.Click on “Continue” and then “Modify DB Instance” to apply changes.
AWS CLI:
Use the
modify-db-instanceaws rds modify-db-instance \ --db-instance-identifier <instance-name> \ --backup-retention-period <number-of-days> \ --apply-immediately
Replace
<instance-name><number-of-days>Troubleshooting:
If backups are failing:
- 1.Check for insufficient storage space – backups require free space equivalent to the size of your database.
- 2.Verify that the preferred backup window does not conflict with other maintenance windows.
- 3.Check AWS CloudTrail for any error messages related to backup failures.
Compliance Monitoring
AWS Config Rules for Automated Backup Checks
Create an AWS Config rule to automatically check the backup configuration compliance of your RDS instances.
AWS CLI:
aws configservice put-config-rule \ --config-rule '{ "ConfigRuleName": "rds-backup-enabled", "Description": "Checks whether RDS DB instances have backups enabled", "Source": { "Owner": "AWS", "SourceIdentifier": "RDS_SNAPSHOT_CHECK" }, "InputParameters": "{\"minRetentionPeriod\":\"3\"}", "Scope": { "ComplianceResourceTypes": ["AWS::RDS::DBInstance"] }, "MaximumExecutionFrequency": "TwentyFour_Hours" }'
This AWS Config rule will check if your RDS instances have a backup retention period of at least 3 days.
Summary
To remain compliant with FFIEC guidelines, ensure that your AWS RDS instances are configured with automatic backups enabled and with an appropriate backup retention period. Use AWS Config rules to continuously monitor compliance and promptly address any deviations. Following these steps will not only help you maintain compliance but also ensure database resilience against data loss scenarios.