Ensure AWS RDS instances have Multi-Availability Zone enabled
When an RDS DB instance is enabled with Multi-AZ, the RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different availability zone. These Multi-AZ deployments will improve primary node reachability by providing read replica in case of network connectivity loss or loss of availability in the primary availability zone for read/write operations.
Risk Level: Low
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.DR.02
Covered by Spectral: Yes
Category: Database
GSL LOGIC
RDSDBCluster should have multiAZ=true
REMEDIATION
From Portal
- Sign into the AWS console.
- In the console, select the specific region.
- Navigate to the Amazon RDS console.
- Select Instances, and then select the reported DB instance.
- On 'Instance Actions' drop-down list, select 'Modify'
- In 'Instance Specifications' section for the 'Multi-AZ Deployment', select 'Yes'
- Click 'Continue'
- On the confirmation page, review the changes and click 'Modify DB Instance' to save your changes.
From TF
resource "aws_db_instance" "example" {
...
name = "example_db"
+ multi_az = true
}
Note: multi_az attribute true specifies that the RDS instance is multi-AZ.
From Command Line
aws rds modify-db-instance --db-instance-identifier RDS_instance_name --option-group-name db_instance_option_group --db-parameter-group-name DB_parameter_group --multi-az --apply-immediately
References
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZSingleStandby.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster.html
Amazon RDS
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago