🛡️ AWS RDS Instance Multi-AZ Deployment is not enabled🟢

• Contextual name: 🛡️ Instance Multi-AZ Deployment is not enabled🟢
• ID: /ce/ca/aws/rds/instance-multi-az-deployment
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Instance
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.5] RDS DB instances should be configured with multiple Availability Zones
• Cloud Conformity: RDS Multi-AZ
• Internal: dec-x-5b3728e8

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-5b3728e8	1

Description

Open File

Description

Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity.

Rationale

Database availability is crucial for maintaining service uptime, particularly for applications that are critical to the business. Implementing Multi-AZ deployments with Amazon RDS ensures that your databases are protected against unplanned outages due to hardware failures, network issues, or other disruptions. This configuration enhances both the availability and durability of your database, making it a highly recommended practice for production environments.

Impact

Multi-AZ deployments may increase costs due to the additional resources required to maintain a standby instance; however, the benefits of increased availability and reduced risk of downtime outweigh these costs for critical applications.

... see more

Remediation

Open File

Remediation

Using AWS CloudFormation

• CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enables Multi-AZ deployment for an existing RDS instance.

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: The ID of the existing RDS instance

Resources:
  MultiAZRDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      MultiAZ: true

From Console

1. Log in to the AWS Management Console and open the RDS dashboard.
2. In the left navigation pane, click Databases.
3. Select the database instance that needs Multi-AZ deployment to be enabled.
4. Click the Modify button at the top right.
5. Scroll down to the Availability & Durability section.
6. Under Multi-AZ deployment, select Yes to enable.
7. Review the changes and click Continue.
8. On the Review page, choose Apply immediately to make the change without waiting for the next maintenance window, or Apply during the next scheduled maintenance window.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;		4	4		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.5] RDS DB instances should be configured with multiple Availability Zones		1	1		no data
💼 CIS AWS v4.0.0 → 💼 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)			1		no data
💼 CIS AWS v4.0.1 → 💼 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)			1		no data
💼 CIS AWS v5.0.0 → 💼 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)			1		no data
💼 CIS AWS v6.0.0 → 💼 3.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			56		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			19		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		20		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			20		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		20		no data
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			20		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			20		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			19		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-36 Distributed Processing and Storage	2		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			19		no data