Ensure that RDS DB instances are included in a backup plan for data protection.
Rule | RDS DB instances should be in a backup plan |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ High |
RDS DB Instances Backup Compliance with NIST Cybersecurity Framework v1
Amazon Relational Database Service (RDS) is a managed database service that makes it easier to set up, operate, and scale a relational database in the cloud. Ensuring that RDS DB instances are included in backup plans is a foundational aspect of maintaining data integrity and availability, which aligns with the NIST Cybersecurity Framework (CSF) Version 1.
Understanding the Rule
Backup Requirements
According to NIST CSF v1, organizations must implement data backup strategies as part of the Protect Function, specifically within the Data Security category. The framework advises that data be backed up regularly and that backups be tested to confirm data integrity and successful restoration.
RDS Specifics
For Amazon RDS, backups can be automated or manually executed. Automated backups occur within a defined backup window, while manual snapshots can be done at any desired time.
Troubleshooting Backup Issues
Common issues with RDS backups include:
To troubleshoot these issues, consider the following steps:
Remediation Steps
To ensure compliance with NIST CSF v1 for RDS backups, follow these steps:
Step 1: Enable Automated Backups
Use the AWS Management Console or AWS CLI to enable automated backups:
aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --backup-retention-period 7 \ --preferred-backup-window 22:00-23:00 \ --apply-immediately
Fields:
mydbinstance
: The name of your RDS instance.backup-retention-period
: The number of days to retain the backup. The value '7' represents 7 days.preferred-backup-window
: The time window when backups should occur. This example sets it to 10 PM to 11 PM.Step 2: Test Restores
It's critical to test restores periodically to ensure that the backup data is usable in the event of a disaster:
aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier mytestdbinstance \ --db-snapshot-identifier mydbsnapshot
Fields:
mytestdbinstance
: The name of the new RDS instance for testing the restore process.mydbsnapshot
: The identifier for the DB snapshot to restore from.Step 3: Monitor Backup Activity
Monitoring is essential to ensure that backups are occurring as expected:
aws rds describe-events \ --source-type db-instance \ --source-identifier mydbinstance \ --start-time $(date -u +"%Y-%m-%dT%H:%M:%SZ" -d "-1 days") \ --duration 1440
Fields:
mydbinstance
: The name of your RDS instance.start-time
and duration
parameters specify a 24-hour window for the events you want to review.Step 4: Implement Backup Retention Policies
Ensure automated snapshot retention policies are compliant with organizational standards and NIST recommendations:
aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --backup-retention-period 10 \ --apply-immediately
Fields:
backup-retention-period
: Set this to the required retention period as per the organization's policies.Conclusion
By following the steps outlined, you can ensure that your RDS DB instances align with NIST CSF v1 recommendations for data backup. Regularly auditing and updating your backup procedures is essential to maintain a robust cybersecurity posture. With these practices in place, RDS backups will contribute to the overall resilience of your cloud infrastructure against data loss and downtime.