Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use AWS Backup Service in Use for Amazon RDS

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: Backup-001

Ensure that Amazon Backup is integrated with Amazon Relational Database Service (RDS) in order to manage RDS database instance snapshots and improve the reliability of your backup strategy. Amazon Backup is a fully managed service that creates, restores and deletes backups on your behalf.

This rule resolution is part of the Conformity solution.

Reliability

With Amazon Backup, you can centrally configure backup policies and rules, and monitor backup activity for AWS RDS database instances. The Backup service automates and consolidates backup tasks previously performed service-by-service, removing the need to create custom scripts such as Lambda functions and manual processes.

Audit

To determine if Amazon Backup service is used to manage AWS RDS instance snapshots in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Snapshots.

04 On the Snapshots listing page, click on the dropdown list that filters your RDS snapshots based on their type, and choose Backup service to list the snapshots processed by AWS Backup service. If there are no snapshots available, i.e.

If there are no snapshots availabl

the service is not used to manage RDS database instance snapshots, therefore Amazon Backup is not in use for Amazon RDS within the current region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-snapshots command (OSX/Linux/UNIX) using custom query filters to list the RDS database snapshots managed by Amazon Backup service, available in the selected AWS region: 

aws rds describe-db-snapshots
    --region us-east-1
    --query 'DBSnapshots[?(SnapshotType==`awsbackup`)]'

02 The command output should return an array with the requested information: 

[]

If describe-db-snapshots command output returns an empty array, as shown in the output example above, there are no RDS database instance snapshots managed by AWS Backup service, therefore Amazon Backup is not in use for Amazon RDS in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To use Amazon Backup service to manage AWS RDS database snapshots within your AWS account, perform the following actions:

Note: As an example, this conformity rule utilizes a predefined backup plan that implements scheduled (daily) backups for an AWS RDS database instance.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Backup dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, choose Backup plans.

04 Click Create Backup planbutton from the dashboard top menu to initiate the backup plan setup process.

05 On the Create Backup plan page, perform the following:

  1. In the Start options section, select Start from an existing plan option.
  2. From Choose plan dropdown list, select a predefined backup plan to start from, e.g. Daily-35day-Retention.
  3. Provide a unique name for your backup plan in the Backup plan name box.
  4. To edit the predefined backup rule, select the rule available in the Backup rules section, then click the Edit button. Review and choose the right configuration for your rule. For example, you can extend the retention period of the backup plan in the Monthly rule to three years instead of one year. For Backup vault, choose Default to use the default vault made available by Amazon Backup. Click Save Backup rule to apply the changes.
  5. In the Tags added to Backup plan section, define any necessary tag sets to help you organize and track your backup plan.
  6. Click Create plan to create your new backup plan.

06 On the newly created backup plan page, within Resource assignments section, click Assign resources button to apply your new backup plan to your AWS RDS resources.

07 On the Assign resources page, provide the following details:

  1. Type a unique name for the new assignment in the Resource assignment name box.
  2. Under IAM role, choose Default role. If the Amazon Backup default role is not available in your AWS account, a new one will be created with the correct permissions.
  3. In the Assign resources section, select Resource ID from Assign by dropdown list, choose RDS from Resource type list, then click inside Database name box and select the name of the AWS RDS database instance that you want to assign to your backup plan. (Optional) To assign more resources to your backup plan, click Add assignment and follow the same steps.
  4. Once the necessary assignments are configured, click Assign resources to confirm the action. From now on, Amazon Backup will use the backup plan created at the previous steps to take daily snapshots of your AWS RDS database instance and manage these snapshots using the backup rules associated with your AWS Backup plan.

08 If required, repeat step no. 4 – 7 to create and configure new Amazon Backup plans for other AWS RDS database instances available in the current region.

09 Change the AWS region from the navigation bar to repeat the entire process for the other regions.

Using AWS CLI

01 Define the necessary Amazon Backup plan, including the backup rules required for scheduled (daily) RDS database backups. Create a new JSON document, name it daily-35day-retention.json, and paste the content listed below. The following example represents a predefined Amazon Backup plan that takes daily backups (in this case AWS RDS instance snapshots) and has a retention period of 35 days: 

{
  "BackupPlanName": "cc-project5-backup-plan",
  "Rules": [
    {
      "RuleName": "DailyBackups",
      "TargetBackupVaultName": "Default",
      "ScheduleExpression": "cron(0 5 ? * * *)",
      "StartWindowMinutes": 480,
      "CompletionWindowMinutes": 10080,
      "Lifecycle": {
        "DeleteAfterDays": 35
      }
    }
  ]
}

02 Run create-backup-plan command (OSX/Linux/UNIX) using the backup plan definition created at the previous step (i.e. daily-35day-retention.json) as value for the --backup-plan command parameter, to create your new Amazon Backup plan: 

aws backup create-backup-plan
    --region us-east-1
    --backup-plan file://daily-35day-retention.json

03 The command output should return the command request metadata: 

{
    "BackupPlanArn": "arn:aws:backup:us-east-1:123456789012:backup-plan:abcd1234-abcd-1234-abcd-1234abcd1234",
    "VersionId": "ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD",
    "CreationDate": 1552652281.971,
    "BackupPlanId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

04 Run create-backup-selection command (OSX/Linux/UNIX) using the ID of the newly created backup plan as parameter, to assign the specified Amazon Backup plan to an RDS database instance, identified by the ARN "arn:aws:rds:us-east-1:123456789012:db:cc-project5-instance", using the default IAM service role provided by AWS Backup, identified by "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole". After the create-backup-selection command request is executed, Amazon Backup will use the backup plan created at the previous steps to take daily snapshots of your RDS database instance and manage these snapshots using the predefined backup rules associated with your AWS Backup plan: 

aws backup create-backup-selection
    --region us-east-1
    --backup-plan-id abcd1234-abcd-1234-abcd-1234abcd1234
    --backup-selection SelectionName=cc-project5-db-instance,IamRoleArn=arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole,Resources=arn:aws:rds:us-east-1:123456789012:db:cc-project5-instance

05 The command output should return the command request metadata: 

{
    "SelectionId": "12341234-abcd-abcd-abcd-123412341234",
    "CreationDate": 1552652418.029,
    "BackupPlanId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

06 If required, repeat step no. 1 – 5 to create and configure new Amazon Backup plans for other AWS RDS database instances provisioned in the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the remediation/resolution process for other regions.

References

Publication date Mar 16, 2019

Related Backup rules