Rule: RDS DB Instance Backup Should be Enabled
This rule ensures that RDS DB instance backup is enabled to maintain data integrity and disaster recovery.
| Rule | RDS DB instance backup should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
RDS DB Instance Backup Enabled for NIST Cybersecurity Framework (CSF) v1
Rule Description
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides guidelines for organizations to manage and reduce cybersecurity risk. One aspect of these guidelines emphasizes the importance of maintaining secure, resilient systems, including the regular backup of data.
For Amazon Relational Database Service (RDS), enabling backups is a critical component of adhering to NIST CSF, specifically under the "Recover" function which focuses on developing and implementing appropriate activities to restore any capabilities or services that were impaired due to a cybersecurity incident.
Enabling backup on an RDS DB instance ensures that you can restore data from a specific point in time, reduce data loss, and quickly recover from potential breaches or failures, aligning with the NIST CSF's goals.
Troubleshooting Common Issues
- Backups Not Enabled: Ensure that backups are enabled and configured with an appropriate retention period.
- Insufficient Backup Retention Period: Check if the retention period meets the NIST CSF requirements.
- Automated Backups Failing: Review AWS CloudTrail logs and RDS events for errors or issues during the backup process.
Necessary AWS CLI Commands
To manage RDS backups, the AWS Command Line Interface (CLI) can be used. Here are some essential commands:
Enabling Automatic Backups
aws rds modify-db-instance \ --db-instance-identifier <db-instance-identifier> \ --backup-retention-period <number-of-days> \ --apply-immediately
Replace
with the RDS instance identifier and <db-instance-identifier>
with the desired retention period.<number-of-days>
Describing Backup Attributes
aws rds describe-db-instances \ --db-instance-identifier <db-instance-identifier>
Use this command to check the backup configuration settings.
Troubleshooting Backup Issues
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Backup
This command helps in identifying backup-related events and potential issues.
Step by Step Guide for Remediation
- 1.
Identify RDS Instances Without Backups: Use AWS Config or the AWS Management Console to find instances without backups enabled.
- 2.
Enable Backups: Use the AWS CLI
command to enable backups for the RDS instance.modify-db-instance - 3.
Verify Backup Configurations: Use the
command to ensure that the backups are enabled and configured correctly.describe-db-instances - 4.
Monitor Backup Status: Regularly check the RDS instance's event logs and AWS CloudTrail for any backup-related issues or failures.
- 5.
Test Recovery Procedures: Periodically test the recovery of your databases from backups to ensure that your backup strategy is effective.
- 6.
Compliance Documentation: Document your backup policies, procedures, and proof of compliance with NIST CSF for audits or internal governance.
By closely adhering to the NIST Cybersecurity Framework and regularly ensuring that backups are enabled and functioning correctly, organizations can maintain a strong cybersecurity posture that is resilient to data loss and system failures.