Control: 3.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS
Description
Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity
Remediation
From Console:
- Login to the AWS Management Console and open the RDS dashboard at AWS RDS Console.
- In the left navigation pane, click on
Databases
. - Select the database instance that needs Multi-AZ deployment to be enabled.
- Click the
Modify
button at the top right. - Scroll down to the
Availability & Durability
section. - Under
Multi-AZ deployment
, selectYes
to enable. - Review the changes and click
Continue
. - On the
Review
page, chooseApply immediately
to make the change without waiting for the next maintenance window, or Apply during the nextscheduled maintenance window.
- Click
Modify DB Instance
to apply the changes.
From Command Line:
- Run the following command to modify the RDS instance and enable Multi-AZ:
aws rds modify-db-instance --region <region-name> --db-instanceidentifier <db-name> --multi-az --apply-immediately
- Confirm that the Multi-AZ deployment is enabled by running the following command:
aws rds describe-db-instances --region <region-name> --db-instanceidentifier <db-name> --query 'DBInstances[*] MultiAZ'
- If the output is True, Multi-AZ is enabled.
- If the output is False, Multi-AZ is not enabled.
- Repeat steps 1 and 2 to audit each RDS instance, and change regions to verify in other regions.
Default Value:
By default, Amazon RDS instances are created as Single-AZ deployments. Multi-AZ must be explicitly enabled during instance creation or modification.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_3_2_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_3_2_4 --share
SQL
This control uses a named query:
select arn as resource, case when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then 'skip' when multi_az then 'ok' else 'alarm' end as status, case when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then title || ' cluster instance.' when multi_az then title || ' Multi-AZ enabled.' else title || ' Multi-AZ disabled.' end as reason , region, account_idfrom aws_rds_db_instance;