Logo of Trend Micro

RDS Automated Backups Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: RDS-002

Ensure that your RDS database instances have automated backups enabled for point-in-time recovery. To back up your database instances, AWS RDS take automatically a full daily snapshot of your data (with transactions logs) during the specified backup window and keeps the backups for a limited period of time (known as retention period) defined by the instance owner.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Creating point-in-time RDS instance snapshots periodically will allow you to handle efficiently your data restoration process in the event of a user error on the source database or to save data before making a major change to the instance database such as changing the structure of a table.

Audit

To determine if your RDS database instances have automated backups enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 Under Availability and Durability section, search for the Automated Backups status:

Automated Backups status set to disabled

If the current status is set to Disabled, the RDS service will not perform point-in-time snapshots for the selected instance.

07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region: 

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier: 

[
    "prod-mysql-database"
]

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier returned earlier, to determine the retention period for the instance automated backups, e.g. the number of days for which RDS instance snapshots are retained: 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-database
	--query 'DBInstances[*].BackupRetentionPeriod'

04 The command output should return the retention period (number of days) for the selected RDS instance: 

[
    0
]

If the current value for the retention period is set to 0 (zero), the Automated Backups feature is not enabled, meaning that AWS RDS will not perform point-in-time snapshots for the selected instance.

05 Repeat steps no. 1 – 4 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS instances configuration and enable automated backups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance identifier> page, under Backup section, select a positive number (between 1 and 35) from the Backup Retention Period dropdown list. The value set represents the number of days for which instance automated backups are retained.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately. (!) IMPORTANT: when you change the retention period from 0 to a non-zero value an immediate outage will occur so if the selected database instance is used in production consider leaving Apply Immediately option disabled before applying the changes in order to avoid any downtime. If Apply Immediately is not selected, the feature will be enabled during the next maintenance window.

08 Click Continue.

09 Review the changes and click Modify DB Instance. Once the feature is enabled, the Automated Backups status should change to Enabled:

Automated Backups status should change to Enabled

and a new snapshot of the instance will be created.

10 Repeat steps no. 4 – 9 for each RDS instance available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region: 

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier: 

[
    "prod-mysql-database"
]

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance configuration. The following command example enables Automatic Backups feature by setting the backup retention period (in days) for an RDS instance named prod-mysql-database. This example is using the –apply-immediately option to apply the change asynchronously and as soon as possible but note that using this parameter will trigger an immediate outage (to apply the change during the instance maintenance window, avoid adding the –apply-immediately command parameter): 

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier prod-mysql-database
	--backup-retention-period 7
	--apply-immediately

04 The command output should reveal the new configuration metadata for the RDS instance: 

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "webappmysql",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ... 
        "PendingModifiedValues": {
            "BackupRetentionPeriod": 7
        },
  	   ...
        "DbiResourceId": "db-LVM75IJA2YOGQ3FJUNRK7KFFII",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.t2.micro",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "prod-mysql-database"
    }
}

05 Run describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier to check if the Automated Backups feature has been successfully enabled: 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-database
	--query 'DBInstances[*].BackupRetentionPeriod'

06 The command output should return the retention period (7 days in this case) for the selected RDS instance. If the feature was enabled a non-zero value should be returned: 

[
    7
]

07 Repeat steps no. 1 – 6 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions. 

[
    7
]

References

Publication date Apr 30, 2016

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

RDS Automated Backups Enabled

Risk level: High