Ensure AWS RDS instances have Automatic Backup set up
Automatic Backup creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during a specified backup window time and keeps the backups for a period of time defined in the retention period. It is recommended to set Automatic Backups for your critical RDS servers that will help in the data restoration process.
Risk Level: High
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.DR.01
Category: Database
GSL LOGIC
RDS should have backupRetentionPeriod>0
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
- In the navigation pane, choose Databases, and then choose the DB instance that you want to modify.
- Choose Modify.
- In 'Backup' section,
a. From the 'Backup Retention Period' drop-down list, select the number of days to retain automatic backups of this DB instance
b. Select 'Start Time' and 'Duration' in 'Backup window', which is the daily time range (in UTC) during which automated backups will be performed - Click 'Continue'
- On the confirmation page, select 'Modify DB Instance' to save your changes
From TF
resource "aws_db_instance" "default" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "default.mysql5.7"
skip_final_snapshot = true
+ backup_retention_period = 5 # any positive number
}
From Command Line
aws rds modify-db-instance --region REGION --db-instance-identifier DBINSTANCE --backup-retention-period NUMBER_OF_DAYS --apply-immediately
References
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
- https://aws.amazon.com/rds/faqs/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
Amazon RDS
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
Updated over 1 year ago