Logo of Trend Micro

RDS Multi-AZ

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: RDS-007

Ensure that your RDS Aurora clusters are using Multi-AZ deployment configurations for high availability and automatic failover support fully managed by AWS.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

When Multi-AZ is enabled, AWS automatically provision and maintain a synchronous database standby replica on a dedicated hardware in a different datacenter (known as Availability Zone). AWS RDS will automatically switch from the primary cluster to the available standby replica in the event of a failure such as an Availability Zone outage, an internal hardware or network outage, a software failure or in case of planned interruptions such as software patching or changing the RDS cluster type.

Audit

To determine if your RDS clusters are using Multi-AZ configuration, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Clusters.

04 Select the RDS cluster that you want to examine.

05 Click Cluster Actions button from the dashboard top menu and select See Details.

06 Under Availability and Durability section, search for the Multi AZ status:

Under Availability and Durability section, search for the Multi AZ status

If the current status is set to No, the feature is not enabled, which means that the selected RDS cluster is not deployed in multiple Availability Zones.

07 Repeat steps no. 4 – 6 for each RDS cluster provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list all RDS database clusters names, available in the selected AWS region: 

aws rds describe-db-clusters
	--region us-east-1
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return each database cluster identifier: 

[
    "prod-mysql-cluster"
]

03 Run again describe-db-clusters command (OSX/Linux/UNIX) using the RDS cluster identifier returned earlier to determine the selected cluster Multi-AZ configuration status: 

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier prod-mysql-cluster
	--query 'DBClusters[*].MultiAZ'

04 The command output should return the Multi-AZ feature current status (true for enabled, false for disabled): 

[
    false
]

If the current status is set to false, the selected RDS cluster is not deployed in multiple Availability Zones.

05 Repeat steps no. 1 – 4 for each RDS cluster provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS clusters configuration and enable Multi-AZ deployment, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Clusters.

04 Select the RDS cluster that you want to examine.

05 Click Cluster Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Cluster: <cluster identifier> page, under Cluster Specifications section, select Yes from the Multi-AZ Deployment dropdown list.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately.

08 Click Continue.

09 Review the changes and click Modify DB Cluster. The cluster status should change from available to modifying and back to available. Once the feature is enabled, the Multi AZ status should change to Yes:

Once the feature is enabled, the Multi AZ status should change to Yes

10 Repeat steps no. 4 – 9 for each RDS cluster available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list all RDS clusters names, available in the selected AWS region: 

aws rds describe-db-clusters
	--region us-east-1
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return each database cluster identifier: 

[
    "prod-mysql-cluster"
]

03 Run modify-db-cluster command (OSX/Linux/UNIX) to modify the selected RDS cluster configuration. The following command example enables Multi-AZ deployment for an RDS cluster named prod-mysql-cluster. The configuration change is asynchronously applied as soon as possible: 

aws rds modify-db-cluster
	--region us-east-1
	--db-cluster-identifier prod-mysql-cluster
	--multi-az
	--apply-immediately

04 The command output should reveal the feature pending status (highlighted) as the PendingModifiedValues parameter value: 

{
    "DBCluster": {
        "PubliclyAccessible": true,
        "MasterUsername": "mysqlwebdb",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ...
        ],
        "PendingModifiedValues": {
            "MultiAZ": true
        },
        ...
        "DBClusterStatus": "available",
        "EngineVersion": "5.6.27",
        "AvailabilityZone": "us-east-1a",
        "StorageType": "gp2",
        "DBClusterClass": "db.t2.micro",
        "DBClusterIdentifier": "prod-mysql-cluster"
    }
}

05 Run describe-db-clusters command (OSX/Linux/UNIX) using the RDS cluster identifier to check if the Multi-AZ feature has been successfully enabled: 

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier prod-mysql-cluster
	--query 'DBClusters[*].MultiAZ'

06 The command output should return the feature current status (true for enabled, false for disabled): 

[
    true
]

07 Repeat steps no. 1 – 6 for each RDS cluster provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date Apr 29, 2016

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

RDS Multi-AZ

Risk level: Medium