Rule: RDS DB Instance Should Be Protected by Backup Plan
This rule ensures that RDS DB instances are safeguarded by a backup plan to prevent data loss.
| Rule | RDS DB instance should be protected by backup plan |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
RDS DB Instance Backup Compliance with NIST Cybersecurity Framework
Amazon Relational Database Service (RDS) is a managed database service that simplifies the setting up, operating, and scaling of a relational database in the cloud. Adhering to the guidelines of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is imperative for maintaining the integrity and availability of database information. A robust backup strategy is a significant part of this framework.
NIST Cybersecurity Framework Overview
The NIST CSF provides a policy framework of computer security guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber-attacks. It includes categories such as Identify, Protect, Detect, Respond, and Recover. Under Protect function, maintaining robust backup plans is crucial for Recovery Planning (PR.IP-4).
Rule Details: RDS Backup
As per the rule derived from NIST CSF, your RDS instances should have:
- Automated snapshots turned on
- Retention period configured for at least the minimum recommended time
- Regularly tested backup and restoration procedures to ensure data integrity and availability
Troubleshooting Steps for Backup Compliance
- 1.
Verify Snapshot Settings: Ensure that your RDS instances have automated snapshots set up.
- Go to the AWS RDS console.
- Select the DB instance.
- Under "Instance Actions", select "See automatic snapshot settings".
- 2.
Check Retention Policies: Confirm that the snapshot retention period meets or exceeds the desired compliance period.
- Within the RDS dashboard, look for "Backup Retention Period".
- If not compliant, modify this to comply with NIST CSF guidelines.
- 3.
Test Backup Restoration: Regularly test backups to ensure that they can be restored in compliance with your recovery objectives.
- Create a new DB instance from a snapshot by selecting "Restore to Point in Time" within RDS console.
- 4.
Encryption: Verify that snapshots are encrypted to ensure data is protected at rest.
- Check the "Encryption" status for snapshots in the RDS console.
Code for Automated Compliance Checks
AWS CLI commands and AWS SDKs can be used to automate the compliance check process.
# Check if automated backups are enabled for RDS instances aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,BackupRetentionPeriod,StorageEncrypted]' # Modify the retention period of an RDS DB instance aws rds modify-db-instance --db-instance-identifier <YourDBInstanceIdentifier> --backup-retention-period <DesiredRetentionPeriod> --apply-immediately
Make sure to replace
<YourDBInstanceIdentifier><DesiredRetentionPeriod>Remediation Guide
Setting Up Automated Snapshots
- 1.Log in to the AWS Management Console.
- 2.Navigate to the RDS dashboard and select the RDS DB instance.
- 3.Under "DB Instance Actions", choose "Modify".
- 4.Scroll down to the "Backup" section.
- 5.Check "Enable automatic backups" and set the "Backup retention period" to meet the minimum duration recommended.
- 6.Choose "Save Changes".
Increasing Backup Retention Period
If the retention period is less than the required compliance period, increase it:
- 1.Use the AWS CLI command provided in the code section above to set the desired retention period.
- 2.Apply the changes immediately.
Ensuring Snapshots Are Encrypted
- 1.Go to the RDS dashboard.
- 2.Select the RDS DB instance.
- 3.In the "Details" section, find "Encryption" and ensure it is set to "Yes".
- 4.If it's not encrypted, you may need to create a new DB instance with encryption enabled and migrate your data to comply with the NIST CSF.
Following these detailed yet precise steps will ensure that your RDS DB instances comply with the backup requirements set by the NIST Cybersecurity Framework. Regular compliance audits and immediate remediation steps will significantly contribute to the security and resilience of your AWS database services.