Rule: RDS Aurora clusters should be protected by backup plan
This rule ensures that RDS Aurora clusters have a backup plan in place for data protection.
| Rule | RDS Aurora clusters should be protected by backup plan |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Ensuring RDS Aurora Clusters are Protected by a Backup Plan for NIST Cybersecurity Framework (CSF) v1
Overview
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 1 is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risks. One key aspect of maintaining the integrity and resilience of systems according to the NIST CSF is ensuring that appropriate backup plans are in place. This includes having robust and tested backup strategies for cloud-based databases such as Amazon RDS Aurora clusters.
Rule / Policy Description
As per the NIST CSF, Amazon RDS Aurora clusters should have automated backups, database snapshots, and replication features enabled to ensure data durability and to provide point-in-time recovery capability.
Required Configuration:
- 1.Automated Backups: Ensure that automated backups are enabled with a retention period that aligns with your organization’s data recovery objectives.
- 2.Database Snapshots: Regularly take snapshots of the database according to your data backup policy.
- 3.Disaster Recovery: Utilize features like cross-region snapshot copy or RDS Aurora Global Database for disaster recovery planning.
- 4.Testing: Regularly test backups and restoration processes to confirm the effectiveness of the data recovery strategy.
Troubleshooting Steps
- Verify that automated backups are enabled with an appropriate retention period.
- Check the last snapshot taken and ensure it is within the expected time frame.
- Validate that the snapshots are being stored in multiple locations for redundancy.
- Confirm that the permissions are set correctly for the snapshots and backup files.
- Test the restoration process to ensure that the backups are operational.
Commands and Code Samples
Checking and Enabling Automated Backups:
# To describe the current backup settings for an RDS Aurora cluster aws rds describe-db-clusters --db-cluster-identifier my-cluster # To modify an existing DB cluster to enable automated backups with a 7-day retention period aws rds modify-db-cluster \ --db-cluster-identifier my-cluster \ --backup-retention-period 7 \ --apply-immediately
Taking Database Snapshots:
# To create a manual snapshot for an RDS Aurora cluster aws rds create-db-cluster-snapshot \ --db-cluster-snapshot-identifier my-cluster-snapshot \ --db-cluster-identifier my-cluster
Disaster Recovery Setup:
# To copy a snapshot to another region for disaster recovery aws rds copy-db-cluster-snapshot \ --source-db-cluster-snapshot-identifier my-cluster-snapshot \ --target-db-cluster-snapshot-identifier my-cluster-snapshot-copy \ --source-region us-west-2 \ --region us-east-1
Step-by-Step Guide for Remediation
- 1.
Enabling Automated Backups:
- Login to AWS Management Console.
- Navigate to RDS Dashboard.
- Select the Aurora Cluster.
- Modify the backup settings to enable automated backups and set the retention period.
- 2.
Creating Snapshots:
- Go to the RDS Dashboard.
- Select "Snapshots" from the navigation pane.
- Click on "Take Snapshot" and select the DB cluster.
- 3.
Disaster Recovery Implementation:
- Choose the existing snapshot and select "Copy Snapshot" to copy it to a different AWS region.
- Use RDS Aurora Global Database for cross-region replication.
- 4.
Backup Testing:
- Periodically test the recovery process by restoring a snapshot to a new cluster.
- Verify the integrity of the restored data.
- 5.
Monitoring and Logging:
- Use Amazon CloudWatch and AWS CloudTrail to monitor backup processes and maintain logs for audit purposes.
By adhering to these guidelines and ensuring RDS Aurora clusters are protected with a compliant backup plan, you will strengthen your organization's resilience against data loss and contribute to an effective cybersecurity posture as per the NIST CSF.
Please note that corresponding adjustments should be made according to the organization's specific compliance requirements, as the NIST CSF provides a framework that can be tailored to fit the unique cybersecurity needs of an organization. Additionally, engage in regular reviews and updates to backup protocols to keep them in line with evolving standards and technologies.