More Info:

Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan.

Risk Level

High

Address

Configuration

Compliance Standards

CBP,SEBI,RBI_MD_ITF,RBI_UCB

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS, follow these step-by-step instructions using the AWS Management Console:
  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and login using your credentials.
  2. Navigate to RDS Service: Click on the “Services” dropdown at the top left corner of the console, then select “RDS” under the Database category.
  3. Select Aurora Database Cluster: From the list of RDS database instances, locate and click on the Aurora DB cluster that you want to configure a backup plan for.
  4. Enable Automated Backups: In the Aurora cluster dashboard, click on the “Modify” button to edit the cluster settings.
  5. Configure Backup Retention Period: Scroll down to the “Backup” section, locate the “Backup retention period” option, and set a value for how long you want to retain automated backups. The minimum retention period is 1 day.
  6. Enable Automated Backups: Make sure the “Backup retention period” is greater than 0 to enable automated backups for the Aurora cluster.
  7. Configure Backup Window: Optionally, you can set a preferred backup window during which automated backups will be taken. This helps in avoiding performance impact during peak usage hours.
  8. Enable Backup Encryption (Optional): If required, you can enable backup encryption by selecting the option for “Backup encryption” and choosing a KMS key to encrypt your backups.
  9. Review and Apply Changes: Review the changes you have made to the Aurora cluster configuration. Once you are satisfied with the settings, click on the “Apply immediately” checkbox and then click on the “Modify cluster” button to apply the changes.
  10. Verify Backup Plan: After the modification is completed, go back to the Aurora cluster dashboard and verify that automated backups are enabled and the backup retention period is set as per your configuration.
By following these steps, you have successfully remediated the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS. Automated backups will now be taken according to the configured schedule, ensuring data protection and recovery capabilities for your Aurora cluster.

To remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using AWS CLI, follow these steps:
  1. Create a Backup Plan:
    • Run the following AWS CLI command to create a backup plan for your Aurora DB cluster: 
      aws backup create-backup-plan --backup-plan '{"BackupPlanName": "YourBackupPlanName", "Rules": [{"RuleName": "Rule1", "TargetBackupVaultName": "Default", "ScheduleExpression": "cron(0 0 * * ? *)", "StartWindowMinutes": 60}]}'
    • Replace "YourBackupPlanName" with a suitable name for your backup plan.
    • This command creates a backup plan with a rule named “Rule1” that schedules daily backups at midnight UTC.
  2. Associate the Backup Plan with the Aurora DB Cluster:
    • Run the following AWS CLI command to associate the backup plan with your Aurora DB cluster: 
      aws backup create-backup-selection --backup-plan-id <BackupPlanId> --backup-selection '{"SelectionName": "YourSelectionName", "IamRoleArn": "YourIamRoleArn", "Resources": ["arn:aws:rds:region:account-id:cluster:cluster-name"]}'
    • Replace <BackupPlanId> with the ID of the backup plan you created in step 1.
    • Replace "YourSelectionName" with a suitable name for your backup selection.
    • Replace "YourIamRoleArn" with the IAM role ARN that has permissions to perform backups.
    • Replace "region", "account-id", and "cluster-name" with your AWS region, account ID, and Aurora DB cluster name, respectively.
  3. Verify the Backup Plan Configuration:
    • Run the following AWS CLI command to verify that the backup plan is associated with the Aurora DB cluster: 
      aws backup list-backup-selections --backup-plan-id <BackupPlanId>
    • This command will list the backup selections associated with the specified backup plan.
By following these steps, you can remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using AWS CLI.
To remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using Python, you can follow these steps:
  1. Install Boto3: Boto3 is the AWS SDK for Python, which allows you to interact with AWS services. You can install it using pip: 
    pip install boto3
  2. Create a Python script to enable backups for your Aurora DB cluster. Here is an example script that you can use: 
import boto3

# Define the AWS region and your Aurora DB cluster identifier
region = 'your_aws_region'
cluster_identifier = 'your_cluster_identifier'

# Create an RDS client
rds = boto3.client('rds', region_name=region)

# Enable backups for the Aurora DB cluster
response = rds.modify_db_cluster(
    DBClusterIdentifier=cluster_identifier,
    BackupRetentionPeriod=7,  # Set the number of days to retain backups
    BackupWindow='03:00-04:00',  # Set the preferred backup window
    ApplyImmediately=True
)

print("Backup plan enabled for Aurora DB cluster:", cluster_identifier)
  1. Replace placeholders: Replace your_aws_region with the AWS region where your Aurora DB cluster is located, and your_cluster_identifier with the actual identifier of your Aurora DB cluster.
  2. Run the script: Save the script to a file (e.g., enable_backup_plan.py) and run it using Python. Make sure you have the necessary permissions in your AWS IAM role to modify the Aurora DB cluster. 
python enable_backup_plan.py
By following these steps, you can remediate the misconfiguration of Aurora DB clusters not being protected by a backup plan in AWS RDS using Python.