Rule: RDS DB Instances Should Be in a Backup Plan
Ensure that RDS DB instances are included in a backup plan for data protection.
| Rule | RDS DB instances should be in a backup plan |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
RDS DB Instances Backup Compliance with NIST Cybersecurity Framework v1
Amazon Relational Database Service (RDS) is a managed database service that makes it easier to set up, operate, and scale a relational database in the cloud. Ensuring that RDS DB instances are included in backup plans is a foundational aspect of maintaining data integrity and availability, which aligns with the NIST Cybersecurity Framework (CSF) Version 1.
Understanding the Rule
Backup Requirements
According to NIST CSF v1, organizations must implement data backup strategies as part of the Protect Function, specifically within the Data Security category. The framework advises that data be backed up regularly and that backups be tested to confirm data integrity and successful restoration.
RDS Specifics
For Amazon RDS, backups can be automated or manually executed. Automated backups occur within a defined backup window, while manual snapshots can be done at any desired time.
Troubleshooting Backup Issues
Common issues with RDS backups include:
- Backup jobs not triggering as scheduled
- Failed backup jobs
- Incomplete backups
To troubleshoot these issues, consider the following steps:
- 1.Confirm that the RDS instance is properly configured for backups.
- 2.Ensure that the backup window does not conflict with heavy load periods.
- 3.Check RDS events and logs for any error messages related to backup operations.
- 4.Verify available storage space as lack of space can cause backup failures.
- 5.If using manual snapshots, confirm that they are being initiated correctly.
Remediation Steps
To ensure compliance with NIST CSF v1 for RDS backups, follow these steps:
Step 1: Enable Automated Backups
Use the AWS Management Console or AWS CLI to enable automated backups:
aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --backup-retention-period 7 \ --preferred-backup-window 22:00-23:00 \ --apply-immediately
Fields:
: The name of your RDS instance.mydbinstance
: The number of days to retain the backup. The value '7' represents 7 days.backup-retention-period
: The time window when backups should occur. This example sets it to 10 PM to 11 PM.preferred-backup-window
Step 2: Test Restores
It's critical to test restores periodically to ensure that the backup data is usable in the event of a disaster:
aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier mytestdbinstance \ --db-snapshot-identifier mydbsnapshot
Fields:
: The name of the new RDS instance for testing the restore process.mytestdbinstance
: The identifier for the DB snapshot to restore from.mydbsnapshot
Step 3: Monitor Backup Activity
Monitoring is essential to ensure that backups are occurring as expected:
aws rds describe-events \ --source-type db-instance \ --source-identifier mydbinstance \ --start-time $(date -u +"%Y-%m-%dT%H:%M:%SZ" -d "-1 days") \ --duration 1440
Fields:
: The name of your RDS instance.mydbinstance- The
andstart-time
parameters specify a 24-hour window for the events you want to review.duration
Step 4: Implement Backup Retention Policies
Ensure automated snapshot retention policies are compliant with organizational standards and NIST recommendations:
aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --backup-retention-period 10 \ --apply-immediately
Fields:
: Set this to the required retention period as per the organization's policies.backup-retention-period
Conclusion
By following the steps outlined, you can ensure that your RDS DB instances align with NIST CSF v1 recommendations for data backup. Regularly auditing and updating your backup procedures is essential to maintain a robust cybersecurity posture. With these practices in place, RDS backups will contribute to the overall resilience of your cloud infrastructure against data loss and downtime.