Rule: RDS DB Instance Backup Should Be Enabled
This rule ensures that RDS DB instance backup is enabled to maintain data integrity and security.
| Rule | RDS DB instance backup should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description
The rule states that for compliance with the NIST Cybersecurity Framework (CSF) v1, the backup feature should be enabled for all RDS (Relational Database Service) DB instances.
Policy Details
Enabling backups for RDS DB instances ensures the availability and recoverability of critical data in case of any hardware failures, system errors, or accidental data loss. By adhering to the NIST Cybersecurity Framework (CSF) v1, organizations can ensure the protection, detection, and recovery of their data assets by implementing proper backup strategies.
Troubleshooting Steps
If backups are not already enabled for the RDS DB instances, the following troubleshooting steps can be followed:
- 1.
Verify Backup Configuration: Ensure that the current backup configuration for the RDS DB instances is not already enabled. Check the RDS console or use the AWS CLI command
to retrieve the backup configuration details.describe-db-instances - 2.
Modify DB Instance: If backups are not enabled, modify the DB instance to enable automated backups. In the RDS console, select the appropriate DB instance, click on "Modify," and navigate to the "Backup" section. Enable the automated backup feature and set the desired retention period as per the organization's backup policy.
- 3.
Confirm Backup Settings: Once the modifications are made, review the backup settings on the RDS console. Check if the backup retention period and backup window are set according to the desired requirements. Make further adjustments if necessary.
- 4.
Validate Backup Completion: After enabling the backup feature, verify that regular backups are being created for the RDS DB instance. Check the RDS console or use the AWS CLI command
to ensure backups are being successfully completed.describe-db-instance-automated-backups
Code Example
If using the AWS CLI, the following command can be executed to enable backups for an RDS DB instance:
aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --backup-retention-period <RETENTION_PERIOD> --apply-immediately
Replace
<DB_INSTANCE_IDENTIFIER><RETENTION_PERIOD>Ensure that you have the necessary permissions and AWS CLI configured correctly before executing the command.
Remediation Steps
To remediate the issue and enable backups for an RDS DB instance, follow these step-by-step guide:
- 1.
Log in to the AWS Management Console.
- 2.
Open the Amazon RDS service.
- 3.
Select the appropriate region where the RDS DB instance is located.
- 4.
Click on the "Databases" tab.
- 5.
Locate the RDS DB instance that needs backup enablement.
- 6.
Select the DB instance by clicking on its identifier.
- 7.
Within the details page, click on the "Modify" button.
- 8.
Scroll down to the "Backup" section.
- 9.
Enable the "Automated backups" option if not already enabled.
- 10.
Specify the desired backup retention period, considering the organization's backup policy and compliance requirements.
- 11.
Review the other backup settings like backup window and maintenance window. Make changes if necessary.
- 12.
Click on the "Apply immediately" checkbox.
- 13.
Review the summary of modifications.
- 14.
Click on the "Modify DB Instance" button to save and apply the changes.
The RDS DB instance will now have automated backups enabled as per the NIST Cybersecurity Framework (CSF) v1 requirement.