RDS Reserved Instances Purchases Should Be Reviewed Every 7 Days

More Info:

All Amazon RDS Reserved Instance (RI) purchases are reviewed every 7 days in order to confirm that no unwanted reservation purchase has been placed recently.

Risk Level

Low

Address

Cost Optimisation

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of not reviewing RDS Reserved Instances purchases every 7 days in AWS using AWS CLI, follow these steps:

List all the Reserved Instances in AWS RDS: Run the following AWS CLI command to list all the Reserved Instances in your AWS account:
```
aws rds describe-reserved-db-instances
```
Identify the Purchase Date of each Reserved Instance: From the output of the previous command, note down the OfferingType and StartTime values for each Reserved Instance. The StartTime field indicates when the Reserved Instance was purchased.
Calculate the Age of Each Reserved Instance: Calculate the age of each Reserved Instance by comparing the StartTime with the current date. If any Reserved Instance is older than 7 days, it needs to be reviewed.
Set up a Scheduled AWS Lambda Function: Create an AWS Lambda function that uses the AWS SDK to list all the Reserved Instances and their purchase dates. The Lambda function should compare the purchase date with the current date and send a notification if any Reserved Instance is older than 7 days.
Create an AWS CloudWatch Event Rule: Set up a CloudWatch Event Rule that triggers the Lambda function on a schedule (e.g., every 7 days). This will automate the process of reviewing RDS Reserved Instances purchases regularly.
Configure Notifications: Configure the Lambda function to send notifications (e.g., via Amazon SNS) to the appropriate stakeholders if any Reserved Instance needs to be reviewed.

By following these steps and automating the process using AWS Lambda and CloudWatch Events, you can ensure that RDS Reserved Instances purchases are reviewed every 7 days in AWS.

Using Python

To remediate the misconfiguration of not reviewing RDS Reserved Instances purchases every 7 days in AWS using Python, you can create a Lambda function that will be triggered by a CloudWatch Events rule on a 7-day schedule. Below are the step-by-step instructions to remediate this misconfiguration:

Create a Lambda Function:
- Go to the AWS Management Console and navigate to the Lambda service.
- Click on the “Create function” button.
- Choose the “Author from scratch” option.
- Provide a name for your function, select Python as the runtime, and choose an existing role with the necessary permissions or create a new one.
- Click on the “Create function” button.

Write Python Code:

In the Lambda function code editor, write Python code to list all the RDS Reserved Instances and check their purchase date.
You can use the AWS SDK for Python (Boto3) to interact with AWS services.
Here is an example code snippet to get you started:

import boto3
from datetime import datetime, timedelta

def lambda_handler(event, context):
    rds = boto3.client('rds')
    response = rds.describe_reserved_db_instances()

    for reserved_instance in response['ReservedDBInstances']:
        purchase_date = reserved_instance['StartTime'].replace(tzinfo=None)
        if datetime.now() - purchase_date > timedelta(days=7):
            # Send a notification or perform remediation action
            print(f"Review RDS Reserved Instance purchase for {reserved_instance['ReservedDBInstanceId']}")

Set up CloudWatch Events Rule:
- Go to the AWS Management Console and navigate to the CloudWatch service.
- Click on “Rules” in the left-hand menu and then click on “Create rule”.
- Set the schedule expression to run every 7 days.
- Add a target for the rule and select the Lambda function you created earlier.
Test the Remediation:
- Manually trigger the Lambda function to ensure that it is correctly listing RDS Reserved Instances that need review.
- Verify that the CloudWatch Events rule triggers the Lambda function as expected every 7 days.

By following these steps, you can remediate the misconfiguration of not reviewing RDS Reserved Instances purchases every 7 days in AWS using a Python Lambda function triggered by a CloudWatch Events rule.

Additional Reading:

https://aws.amazon.com/rds/reserved-instances/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

RDS Reserved Instances Purchases Should Be Reviewed Every 7 Days

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: