Ensure that RDS DB instances are protected by a backup plan to prevent data loss.
Rule | RDS DB instance should be protected by backup plan |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ High |
Rule Description:
According to the NIST Cybersecurity Framework (CSF) v1, it is crucial to protect RDS (Relational Database Service) DB instances by implementing a comprehensive backup plan. This rule ensures that appropriate measures are in place to safeguard the data stored in the RDS database, minimizing the impact of potential security incidents, data loss, or system failures.
Troubleshooting Steps:
Necessary Codes:
To verify the current backup plan for an RDS DB instance, use the following AWS CLI command:
aws rds describe-db-instance-automated-backups --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --region <AWS_REGION>
To modify the backup retention period for an RDS DB instance, use the following AWS CLI command:
aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --backup-retention-period <RETENTION_PERIOD> --region <AWS_REGION>
To enable encryption for automated backups of an RDS DB instance, use the following AWS CLI command:
aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --enable-db-instance-automatic-backup --region <AWS_REGION>
Remediation Steps:
Configure Backup Plan: If no backup plan is configured, set up a regular backup schedule for the RDS DB instance. Ensure the backup plan aligns with the organization's recovery time objectives (RTO) and recovery point objectives (RPO).
Adjust Backup Retention Period: Evaluate the appropriate backup retention period based on compliance requirements and business needs. Modify the backup retention period for the RDS DB instance if necessary.
Schedule Regular Backups: Determine the frequency of backups based on the criticality of the data and potential impact of loss or downtime. Schedule automated backups to run at appropriate intervals to minimize data loss and facilitate recovery.
Store Backups in Secure Location: Enable the storage of backups in a separate highly available and secure location, such as Amazon S3, to mitigate risks associated with RDS instance failures or compromise.
Enable Backup Encryption: Secure the backups by enabling encryption. This provides an additional layer of protection for sensitive data stored in the RDS DB instance.
Configure Backup Plan Notifications: Set up notifications to alert designated individuals or teams in case of backup failures or other related issues. Ensure the appropriate personnel are promptly notified to address any backup-related incidents.
Test Data Restoration: Regularly perform test restorations of backups to verify their integrity and confirm the ability to successfully restore data when needed. Schedule these tests to ensure business continuity and to identify any potential issues in the backup and recovery process.
By following these remediation steps, organizations can establish a robust backup plan for RDS DB instances, aligning with the NIST CSF v1 recommendations and enhancing the overall security posture of their data management practices.