Open menu
-->

AWS RDS Multi-AZ

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Medium (should be achieved)

Ensure that your RDS instances are using Multi-AZ deployment configurations for high availability and automatic failover support fully managed by AWS.

This rule resolution is part of the Cloud Conformity Base Auditing Package

When Multi-AZ is enabled, AWS automatically provision and maintain a synchronous database standby replica on a dedicated hardware in a different datacenter (known as Availability Zone). AWS RDS will automatically switch from the primary instance to the available standby replica in the event of a failure such as an Availability Zone outage, an internal hardware or network outage, a software failure or in case of planned interruptions such as software patching or changing the RDS instance type.

Audit

To determine if your RDS instances are using Multi-AZ configuration, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 Under Availability and Durability section, search for the Multi AZ status:

Under Availability and Durability section, search for the Multi AZ status

If the current status is set to No, the feature is not enabled, which means that the selected RDS instance is not deployed in multiple Availability Zones.

07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database instances names, available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier:

[
    "prod-mysql-instance"
]

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier returned earlier to determine the selected instance Multi-AZ configuration status:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-instance
	--query 'DBInstances[*].MultiAZ'

04 The command output should return the Multi-AZ feature current status (true for enabled, false for disabled):

[
    false
]

If the current status is set to false, the selected RDS instance is not deployed in multiple Availability Zones.

05 Repeat steps no. 1 – 4 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS instances configuration and enable Multi-AZ deployment, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance identifier> page, under Instance Specifications section, select Yes from the Multi-AZ Deployment dropdown list.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately.

08 Click Continue.

09 Review the changes and click Modify DB Instance. The instance status should change from available to modifying and back to available. Once the feature is enabled, the Multi AZ status should change to Yes:

Once the feature is enabled, the Multi AZ status should change to Yes

10 Repeat steps no. 4 – 9 for each RDS instance available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS instances names, available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier:

[
    "prod-mysql-instance"
]

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance configuration. The following command example enables Multi-AZ deployment for an RDS instance named prod-mysql-instance. The configuration change is asynchronously applied as soon as possible:

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier prod-mysql-instance
	--multi-az
	--apply-immediately

04 The command output should reveal the feature pending status (highlighted) as the PendingModifiedValues parameter value:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "mysqlwebdb",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ...
        ],
        "PendingModifiedValues": {
            "MultiAZ": true
        },
        ...
        "DBInstanceStatus": "available",
        "EngineVersion": "5.6.27",
        "AvailabilityZone": "us-east-1a",
        "StorageType": "gp2",
        "DBInstanceClass": "db.t2.micro",
        "DBInstanceIdentifier": "prod-mysql-instance"
    }
}

05 Run describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier to check if the Multi-AZ feature has been successfully enabled:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-instance
	--query 'DBInstances[*].MultiAZ'

06 The command output should return the feature current status (true for enabled, false for disabled):

[
    true
]

07 Repeat steps no. 1 – 6 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date Apr 29, 2016