Skip to main content

πŸ“ AWS RDS Instance Multi-AZ Deployment is not enabled 🟒

  • Contextual name: πŸ“ Instance Multi-AZ Deployment is not enabled 🟒
  • ID: /ce/ca/aws/rds/instance-multi-az-deployment
  • Located in: πŸ“ AWS RDS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-5b3728e81

Logic​

Description​

Open File

Description​

Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity.

Rationale​

Database availability is crucial for maintaining service uptime, particularly for applications that are critical to the business. Implementing Multi-AZ deployments with Amazon RDS ensures that your databases are protected against unplanned outages due to hardware failures, network issues, or other disruptions. This configuration enhances both the availability and durability of your database, making it a highly recommended practice for production environments.

Impact​

Multi-AZ deployments may increase costs due to the additional resources required to maintain a standby instance; however, the benefits of increased availability and reduced risk of downtime outweigh these costs for critical applications.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to the AWS Management Console and open the RDS dashboard.
  2. In the left navigation pane, click on Databases.
  3. Select the database instance that needs Multi-AZ deployment to be enabled.
  4. Click the Modify button at the top right.
  5. Scroll down to the Availability & Durability section.
  6. Under Multi-AZ deployment, select Yes to enable.
  7. Review the changes and click Continue.
  8. On the Review page, choose Apply immediately to make the change without waiting for the next maintenance window, or Apply during the next scheduled maintenance window.
  9. Click Modify DB Instance to apply the changes.

From Command Line​

  1. Run the following command to modify the RDS instance and enable Multi-AZ:.
aws rds modify-db-instance --region <region-name> --db-instanceidentifier
<db-name> --multi-az --apply-immediately
  1. Confirm that the Multi-AZ deployment is enabled by running the following command:
aws rds describe-db-instances --region <region-name> --db-instanceidentifier

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73f response and recovery which involves a mixture of system restoration (where integrity and availability have been compromised) and managing sensitive data loss where confidentiality has been compromised. This allows for a return to businessas-usual processing;44
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.5] RDS DB instances should be configured with multiple Availability Zones11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)2
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)22
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations5
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process2
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed2
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution62
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage21
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability2