Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instance Protected by Backup Plan

Ensure that RDS DB instances are protected by a backup plan to prevent data loss.

RuleRDS DB instance should be protected by backup plan
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
High

Rule Description:

According to the NIST Cybersecurity Framework (CSF) v1, it is crucial to protect RDS (Relational Database Service) DB instances by implementing a comprehensive backup plan. This rule ensures that appropriate measures are in place to safeguard the data stored in the RDS database, minimizing the impact of potential security incidents, data loss, or system failures.

Troubleshooting Steps:

  1. 1.
    Verify Backup Configuration: Validate that a backup plan is configured for the RDS DB instance.
  2. 2.
    Check Backup Retention Period: Ensure that the backup retention period is appropriately set according to the organization's data recovery requirements.
  3. 3.
    Review Backup Frequency: Confirm that backups are performed at regular intervals to minimize data loss in the event of an incident.
  4. 4.
    Validate Backup Storage Location: Ensure that the backups are stored in a secure location, separate from the RDS instance, to prevent data loss in case of system failure or compromise.
  5. 5.
    Verify Backup Encryption: Check if backups are appropriately encrypted to protect sensitive information from unauthorized access.
  6. 6.
    Confirm Backup Plan Notifications: Ensure that notifications are configured to alert the appropriate personnel in case of backup failures or other related issues.
  7. 7.
    Test Data Restoration: Periodically perform a test restoration of backups to validate their integrity and ensure the ability to recover data as needed.

Necessary Codes:

  1. 1.

    To verify the current backup plan for an RDS DB instance, use the following AWS CLI command:

    aws rds describe-db-instance-automated-backups --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --region <AWS_REGION>
    
  2. 2.

    To modify the backup retention period for an RDS DB instance, use the following AWS CLI command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --backup-retention-period <RETENTION_PERIOD> --region <AWS_REGION>
    
  3. 3.

    To enable encryption for automated backups of an RDS DB instance, use the following AWS CLI command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --enable-db-instance-automatic-backup --region <AWS_REGION>
    

Remediation Steps:

  1. 1.

    Configure Backup Plan: If no backup plan is configured, set up a regular backup schedule for the RDS DB instance. Ensure the backup plan aligns with the organization's recovery time objectives (RTO) and recovery point objectives (RPO).

  2. 2.

    Adjust Backup Retention Period: Evaluate the appropriate backup retention period based on compliance requirements and business needs. Modify the backup retention period for the RDS DB instance if necessary.

  3. 3.

    Schedule Regular Backups: Determine the frequency of backups based on the criticality of the data and potential impact of loss or downtime. Schedule automated backups to run at appropriate intervals to minimize data loss and facilitate recovery.

  4. 4.

    Store Backups in Secure Location: Enable the storage of backups in a separate highly available and secure location, such as Amazon S3, to mitigate risks associated with RDS instance failures or compromise.

  5. 5.

    Enable Backup Encryption: Secure the backups by enabling encryption. This provides an additional layer of protection for sensitive data stored in the RDS DB instance.

  6. 6.

    Configure Backup Plan Notifications: Set up notifications to alert designated individuals or teams in case of backup failures or other related issues. Ensure the appropriate personnel are promptly notified to address any backup-related incidents.

  7. 7.

    Test Data Restoration: Regularly perform test restorations of backups to verify their integrity and confirm the ability to successfully restore data when needed. Schedule these tests to ensure business continuity and to identify any potential issues in the backup and recovery process.

By following these remediation steps, organizations can establish a robust backup plan for RDS DB instances, aligning with the NIST CSF v1 recommendations and enhancing the overall security posture of their data management practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now