Rule: RDS DB Instance Backup Should Be Enabled
Ensure that the RDS DB instance backup is enabled to protect data in case of any failures.
| Rule | RDS DB instance backup should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description:
Enabling RDS DB instance backups is an essential security measure that aligns with the NIST Cybersecurity Framework (CSF) v1. The NIST CSF provides a framework for organizations to manage and mitigate cybersecurity risks effectively. One of the core principles of the framework is to ensure the availability and integrity of critical data assets.
Enabling RDS DB instance backups helps protect your data in case of accidental deletion, hardware failures, or security breaches. It allows you to restore your database to a previous point in time, reducing the risk of data loss and minimizing downtime.
Troubleshooting Steps (if any):
Troubleshooting steps may vary depending on the specific issue encountered while enabling RDS DB instance backups. However, here are some general troubleshooting steps you can follow:
- 1.
Verify IAM Permissions: Ensure that the IAM user or role used to enable backups has sufficient permissions to perform the necessary actions. The user or role should have the
andrds:CreateDBSnapshot
permissions.rds:ModifyDBInstance - 2.
Check RDS DB Instance Status: Make sure that the RDS DB instance is in an available state before enabling backups. If the instance is in a stopped or any other non-available state, you need to start it first.
- 3.
Check Backup Retention Period: Confirm that the backup retention period is set to a value other than zero. If it is set to zero, you need to modify the retention period to an appropriate value using the RDS ModifyDBInstance API or CLI command.
- 4.
Check Storage Space: Verify that there is enough storage available for the backups. If the storage is running low, you may need to increase the allocated storage capacity for your RDS DB instance.
Necessary Codes (if any):
There are no specific codes required to enable RDS DB instance backups for compliance with the NIST CSF v1. However, you can use the following AWS CLI command to modify the backup retention period:
aws rds modify-db-instance --db-instance-identifier [INSTANCE_IDENTIFIER] --backup-retention-period [RETENTION_PERIOD]
Replace
[INSTANCE_IDENTIFIER][RETENTION_PERIOD]Step-by-Step Guide for Remediation:
To enable RDS DB instance backups for compliance with the NIST CSF v1, follow these steps:
- 1.
Log in to the AWS Management Console.
- 2.
Open the Amazon RDS service.
- 3.
Select the region where your RDS DB instance is located.
- 4.
Navigate to the "DB Instances" tab.
- 5.
Find the desired RDS DB instance from the list and select it.
- 6.
Click on the "Modify" button above the table.
- 7.
Scroll down to the "Backup" section.
- 8.
Set the "Backup Retention Period" to a value other than zero to enable backups.
- 9.
Review any other backup-related settings and modify them if necessary.
- 10.
Click on the "Modify DB Instance" button to apply the changes.
- 11.
Monitor the modification progress to ensure it completes successfully.
Once the modification is complete, RDS DB instance backups will be enabled for the specified retention period. It is recommended to regularly review and test the backup and restore processes to ensure they are functioning as expected and meet the requirements of the NIST CSF v1.