More Info:

Identify any Amazon RDS database instances that appear to be idle and delete them to help lower the cost of your monthly AWS bill

Risk Level

High

Address

Reliability, Security

Compliance Standards

HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the issue of idle RDS instances in AWS using the AWS Management Console, follow these steps:
  1. Identify Idle RDS Instances:
    • Log in to your AWS Management Console.
    • Go to the RDS service.
    • Click on “Databases” from the left-hand menu.
    • Identify the RDS instances that have been idle for a long time.
  2. Modify the Instance to Prevent Idleness:
    • Select the idle RDS instance that you want to modify.
    • Click on the instance name to view its details.
    • Click on the “Modify” button.
  3. Adjust the Instance Settings:
    • Increase the “Backup Retention Period” to ensure regular backups are taken.
    • Enable “Auto Minor Version Upgrade” to keep the instance updated.
    • Modify the “Maintenance Window” to schedule regular maintenance activities.
  4. Enable Enhanced Monitoring:
    • Enable Enhanced Monitoring to collect metrics on the instance’s performance.
    • This can help you identify any issues that may be causing idleness.
  5. Set up Alarms:
    • Create CloudWatch Alarms to monitor the instance’s CPU utilization, storage, and other metrics.
    • Set up notifications to alert you when the instance is idle or underutilized.
  6. Implement Database Activity Monitoring:
    • Use AWS services like Amazon CloudWatch Logs or Amazon RDS Performance Insights to monitor database activity.
    • Analyze the data to identify any patterns of idleness and take necessary actions.
  7. Implement Automation:
    • Utilize AWS Lambda functions or AWS Systems Manager Automation to automate tasks like stopping or resizing idle instances.
    • Set up a schedule to run these automation tasks regularly.
  8. Review and Optimize:
    • Regularly review the performance metrics and logs of your RDS instances.
    • Optimize the instance configurations based on the usage patterns to prevent idleness.
By following these steps, you can remediate the issue of idle RDS instances in AWS and ensure that your resources are utilized efficiently.

To remediate the misconfiguration of idle RDS instances in AWS using AWS CLI, you can set up a CloudWatch alarm to monitor the CPU utilization of the RDS instances and then take action when the CPU utilization falls below a certain threshold. Here are the step-by-step instructions:
  1. Create a CloudWatch Alarm:
    • Use the following AWS CLI command to create a CloudWatch alarm that monitors the CPU utilization of the RDS instances:
      aws cloudwatch put-metric-alarm --alarm-name IdleRDSInstanceAlarm --alarm-description "Alarm for idle RDS instances" --metric-name CPUUtilization --namespace AWS/RDS --statistic Average --period 300 --threshold 10 --comparison-operator LessThanThreshold --evaluation-periods 1 --alarm-actions <ARN_of_SNS_Topic>
      
      • Replace <ARN_of_SNS_Topic> with the ARN of the SNS topic to which you want to send the alarm notifications.
  2. Modify the Alarm Actions:
    • Modify the alarm actions to perform the necessary action when the alarm is triggered. For example, you can stop or delete the idle RDS instances. You can use the following AWS CLI command to update the alarm actions:
      aws cloudwatch put-metric-alarm --alarm-name IdleRDSInstanceAlarm --actions-enabled --alarm-actions <ARN_of_AWS_Lambda_Function>
      
      • Replace <ARN_of_AWS_Lambda_Function> with the ARN of the AWS Lambda function that performs the action on the RDS instances.
  3. Create an AWS Lambda Function (if not already created):
    • Create an AWS Lambda function that stops or deletes the idle RDS instances. You can use the following AWS CLI command to create a Lambda function:
      aws lambda create-function --function-name StopIdleRDSInstances --runtime python3.8 --role <IAM_Role_for_Lambda_Function> --handler lambda_function.lambda_handler --code S3Bucket=<Bucket_Name>,S3Key=<Lambda_Zip_File>
      
      • Replace <IAM_Role_for_Lambda_Function> with the IAM role assigned to the Lambda function and <Bucket_Name> and <Lambda_Zip_File> with the S3 bucket name and Lambda zip file respectively.
  4. Update the Lambda Function:
    • Update the Lambda function code to stop or delete the idle RDS instances based on the CloudWatch alarm triggers.
By following these steps, you can remediate the misconfiguration of idle RDS instances in AWS using AWS CLI.
To remediate the issue of idle RDS instances in AWS using Python, you can create a Lambda function that will check the status of RDS instances and stop the idle instances. Here are the step-by-step instructions to remediate this issue:
  1. Create an IAM Role:
    • Create an IAM role with the necessary permissions to describe and stop RDS instances. Attach the following policies to the role:
      • AmazonRDSReadOnlyAccess: Allows read-only access to RDS instances.
      • AmazonRDSFullAccess: Allows full access to RDS instances (for stopping them).
  2. Create a Lambda Function:
    • Go to the AWS Lambda console and create a new Lambda function.
    • Choose “Author from scratch” and configure the basic settings.
    • Under “Permissions”, choose the IAM role created in step 1.
    • Write the Python code to describe RDS instances and stop the idle ones. Here’s a sample code snippet:
    import boto3
    
    def lambda_handler(event, context):
        rds = boto3.client('rds')
        instances = rds.describe_db_instances()
    
        for instance in instances['DBInstances']:
            if instance['DBInstanceStatus'] == 'available' and instance['DBInstanceIdentifier'] != 'your-excluded-instance':
                # Check for idle time and stop the instance if idle
                # Add your logic here to determine idle time
    
                rds.stop_db_instance(DBInstanceIdentifier=instance['DBInstanceIdentifier'])
    
  3. Set Up CloudWatch Event:
    • Create a CloudWatch Event rule to trigger the Lambda function at a specific interval (e.g., every hour).
    • Configure the event rule to trigger the Lambda function.
  4. Test the Solution:
    • Manually trigger the Lambda function to test if it stops the idle RDS instances successfully.
By following these steps, you can create a Python-based solution using AWS Lambda to remediate the issue of idle RDS instances in AWS. Make sure to customize the code to suit your specific requirements and include error handling to manage any unforeseen issues.

Additional Reading: