More Info:

Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS). The rule is NON_COMPLIANT if the Amazon RDS instance does not have a corresponding recovery point created within the specified time period.

Risk Level

High

Addresses

Configuration

Compliance Standards

CBP,SEBI

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of missing backup recovery points for an AWS RDS instance, you can follow these steps using the AWS Management Console:
  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login using your credentials.
  2. Navigate to RDS Service: Click on the “Services” dropdown menu at the top left corner, then select “RDS” under the Database category.
  3. Select the RDS Instance: From the list of RDS instances, click on the instance that you want to enable backup recovery points for.
  4. Enable Automated Backups:
    • In the RDS dashboard for the selected instance, click on the “Modify” button on the top right corner.
    • Scroll down to the “Backup” section.
    • Check the box for “Backup retention period” and set a retention period that suits your requirements (e.g., 7 days, 30 days).
    • Check the box for “Enable automatic backups” to enable automated backups for the RDS instance.
    • You can also configure the backup window timing as per your preference.
  5. Enable Backup Retention:
    • Scroll down further to the “Maintenance” section.
    • Check the box for “Backup retention period” and set a retention period that suits your requirements (e.g., 7 days, 30 days).
  6. Review and Apply Changes:
    • Scroll to the bottom of the page and click on the “Continue” button.
    • Review the changes you have made to ensure they are correct.
    • Click on the “Modify DB Instance” button to apply the changes.
  7. Verify Backup Configuration:
    • Once the modification is complete, go back to the RDS dashboard for the instance.
    • You should see that automated backups are now enabled, and a backup retention period has been set.
By following these steps, you have successfully enabled automated backups and set a backup retention period for your AWS RDS instance, ensuring that backup recovery points are created regularly.
To remediate the misconfiguration of not having backup recovery points created for an AWS RDS instance using AWS CLI, you can follow these steps:
  1. Identify the RDS Instance: First, you need to identify the RDS instance for which you want to enable backup recovery points. You can do this by listing all your RDS instances using the following AWS CLI command: 
    aws rds describe-db-instances
  2. Enable Automated Backups: To enable automated backups for the RDS instance, you can use the following AWS CLI command. Replace <instance-id> with the actual ID of your RDS instance: 
    aws rds modify-db-instance --db-instance-identifier <instance-id> --backup-retention-period 7 --apply-immediately
    • --backup-retention-period: Specifies the number of days to retain automated backups. You can adjust this value as needed.
    • --apply-immediately: This flag ensures that the changes take effect immediately.
  3. Verify Backup Configuration: You can verify the backup configuration for the RDS instance by describing the instance using the following AWS CLI command: 
    aws rds describe-db-instances --db-instance-identifier <instance-id>
    Make sure that the BackupRetentionPeriod is set to the desired value and that BackupRetentionPeriod is not 0.
  4. Monitor Backups: After enabling automated backups, you should monitor the backups to ensure that they are being created as expected. You can view the automated backups for the RDS instance using the following AWS CLI command: 
    aws rds describe-db-instance-automated-backups --db-instance-identifier <instance-id>
By following these steps, you can remediate the misconfiguration of not having backup recovery points created for an AWS RDS instance using AWS CLI.
To remediate the misconfiguration of not having backup recovery points created for an AWS RDS instance using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Initialize the AWS RDS client:
rds_client = boto3.client('rds', region_name='your_region')
  1. Get a list of all RDS instances:
response = rds_client.describe_db_instances()
  1. Iterate through each RDS instance and enable automated backups if they are not already enabled:
for db_instance in response['DBInstances']:
    db_instance_identifier = db_instance['DBInstanceIdentifier']
    
    # Check if automated backups are already enabled
    if not db_instance['BackupRetentionPeriod']:
        print(f"Enabling automated backups for RDS instance {db_instance_identifier}")
        
        # Enable automated backups
        rds_client.modify_db_instance(
            DBInstanceIdentifier=db_instance_identifier,
            BackupRetentionPeriod=7,  # You can set the retention period as needed
            ApplyImmediately=True
        )
  1. Verify that automated backups are enabled for all RDS instances:
response = rds_client.describe_db_instances()

for db_instance in response['DBInstances']:
    db_instance_identifier = db_instance['DBInstanceIdentifier']
    backup_retention_period = db_instance['BackupRetentionPeriod']
    
    print(f"RDS instance {db_instance_identifier} has backup retention period set to {backup_retention_period}")
By following these steps and running the Python script, you can ensure that automated backups are enabled for all your AWS RDS instances, thus remediating the misconfiguration of not having backup recovery points created.