Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 3.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS

Description

Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity

Remediation

From Console:

  1. Login to the AWS Management Console and open the RDS dashboard at AWS RDS Console.
  2. In the left navigation pane, click on Databases.
  3. Select the database instance that needs Multi-AZ deployment to be enabled.
  4. Click the Modify button at the top right.
  5. Scroll down to the Availability & Durability section.
  6. Under Multi-AZ deployment, select Yes to enable.
  7. Review the changes and click Continue.
  8. On the Review page, choose Apply immediately to make the change without waiting for the next maintenance window, or Apply during the next scheduled maintenance window.
  9. Click Modify DB Instance to apply the changes.

From Command Line:

  1. Run the following command to modify the RDS instance and enable Multi-AZ:
aws rds modify-db-instance --region <region-name> --db-instanceidentifier <db-name> --multi-az --apply-immediately
  1. Confirm that the Multi-AZ deployment is enabled by running the following command:
aws rds describe-db-instances --region <region-name> --db-instanceidentifier <db-name> --query 'DBInstances[*] MultiAZ'
  • If the output is True, Multi-AZ is enabled.
  • If the output is False, Multi-AZ is not enabled.
  1. Repeat steps 1 and 2 to audit each RDS instance, and change regions to verify in other regions.

Default Value:

By default, Amazon RDS instances are created as Single-AZ deployments. Multi-AZ must be explicitly enabled during instance creation or modification.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_3_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_3_2_4 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then 'skip'
    when multi_az then 'ok'
    else 'alarm'
  end as status,
  case
    when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then title || ' cluster instance.'
    when multi_az then title || ' Multi-AZ enabled.'
    else title || ' Multi-AZ disabled.'
  end as reason
  
  , region, account_id
from
  aws_rds_db_instance;

Tags

category = Compliance
cis = true
cis_item_id = 3.2.4
cis_level = 1
cis_section_id = 3.2
cis_type = manual
cis_version = v6.0.0
plugin = aws
service = AWS/RDS