AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Aurora DB Clusters Should Be Protected By Backup Plan
More Info:
Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan.
Risk Level
High
Address
Configuration
Compliance Standards
CBP,SEBI,RBI_MD_ITF,RBI_UCB
Triage and Remediation
Remediation
To remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS, follow these step-by-step instructions using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and login using your credentials.
-
Navigate to RDS Service: Click on the “Services” dropdown at the top left corner of the console, then select “RDS” under the Database category.
-
Select Aurora Database Cluster: From the list of RDS database instances, locate and click on the Aurora DB cluster that you want to configure a backup plan for.
-
Enable Automated Backups: In the Aurora cluster dashboard, click on the “Modify” button to edit the cluster settings.
-
Configure Backup Retention Period: Scroll down to the “Backup” section, locate the “Backup retention period” option, and set a value for how long you want to retain automated backups. The minimum retention period is 1 day.
-
Enable Automated Backups: Make sure the “Backup retention period” is greater than 0 to enable automated backups for the Aurora cluster.
-
Configure Backup Window: Optionally, you can set a preferred backup window during which automated backups will be taken. This helps in avoiding performance impact during peak usage hours.
-
Enable Backup Encryption (Optional): If required, you can enable backup encryption by selecting the option for “Backup encryption” and choosing a KMS key to encrypt your backups.
-
Review and Apply Changes: Review the changes you have made to the Aurora cluster configuration. Once you are satisfied with the settings, click on the “Apply immediately” checkbox and then click on the “Modify cluster” button to apply the changes.
-
Verify Backup Plan: After the modification is completed, go back to the Aurora cluster dashboard and verify that automated backups are enabled and the backup retention period is set as per your configuration.
By following these steps, you have successfully remediated the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS. Automated backups will now be taken according to the configured schedule, ensuring data protection and recovery capabilities for your Aurora cluster.
To remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using AWS CLI, follow these steps:
-
Create a Backup Plan:
- Run the following AWS CLI command to create a backup plan for your Aurora DB cluster:
aws backup create-backup-plan --backup-plan '{"BackupPlanName": "YourBackupPlanName", "Rules": [{"RuleName": "Rule1", "TargetBackupVaultName": "Default", "ScheduleExpression": "cron(0 0 * * ? *)", "StartWindowMinutes": 60}]}' - Replace
"YourBackupPlanName"with a suitable name for your backup plan. - This command creates a backup plan with a rule named “Rule1” that schedules daily backups at midnight UTC.
- Run the following AWS CLI command to create a backup plan for your Aurora DB cluster:
-
Associate the Backup Plan with the Aurora DB Cluster:
- Run the following AWS CLI command to associate the backup plan with your Aurora DB cluster:
aws backup create-backup-selection --backup-plan-id <BackupPlanId> --backup-selection '{"SelectionName": "YourSelectionName", "IamRoleArn": "YourIamRoleArn", "Resources": ["arn:aws:rds:region:account-id:cluster:cluster-name"]}' - Replace
<BackupPlanId>with the ID of the backup plan you created in step 1. - Replace
"YourSelectionName"with a suitable name for your backup selection. - Replace
"YourIamRoleArn"with the IAM role ARN that has permissions to perform backups. - Replace
"region","account-id", and"cluster-name"with your AWS region, account ID, and Aurora DB cluster name, respectively.
- Run the following AWS CLI command to associate the backup plan with your Aurora DB cluster:
-
Verify the Backup Plan Configuration:
- Run the following AWS CLI command to verify that the backup plan is associated with the Aurora DB cluster:
aws backup list-backup-selections --backup-plan-id <BackupPlanId> - This command will list the backup selections associated with the specified backup plan.
- Run the following AWS CLI command to verify that the backup plan is associated with the Aurora DB cluster:
By following these steps, you can remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using AWS CLI.
To remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using Python, you can follow these steps:
-
Install Boto3: Boto3 is the AWS SDK for Python, which allows you to interact with AWS services. You can install it using pip:
pip install boto3 -
Create a Python script to enable backups for your Aurora DB cluster. Here is an example script that you can use:
import boto3
# Define the AWS region and your Aurora DB cluster identifier
region = 'your_aws_region'
cluster_identifier = 'your_cluster_identifier'
# Create an RDS client
rds = boto3.client('rds', region_name=region)
# Enable backups for the Aurora DB cluster
response = rds.modify_db_cluster(
DBClusterIdentifier=cluster_identifier,
BackupRetentionPeriod=7, # Set the number of days to retain backups
BackupWindow='03:00-04:00', # Set the preferred backup window
ApplyImmediately=True
)
print("Backup plan enabled for Aurora DB cluster:", cluster_identifier)
-
Replace placeholders: Replace
your_aws_regionwith the AWS region where your Aurora DB cluster is located, andyour_cluster_identifierwith the actual identifier of your Aurora DB cluster. -
Run the script: Save the script to a file (e.g.,
enable_backup_plan.py) and run it using Python. Make sure you have the necessary permissions in your AWS IAM role to modify the Aurora DB cluster.
python enable_backup_plan.py
By following these steps, you can remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using Python.