Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DMS Multi-AZ

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: DMS-003

Ensure that your Amazon Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations to provide High Availability (HA) through automatic failover to standby replicas in the event of a failure such as an Availability Zone (AZ) outage, an internal hardware or network outage, a software failure or in case of a planned maintenance session.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

With Multi-AZ feature enabled, AWS DMS service creates and maintains synchronous replicas across different Availability Zones to provide data redundancy, eliminate I/O freeze-ups and minimize latency spikes. Running a replication instance with Multi-AZ deployment enabled will improve availability during system maintenance, help protect the instance against failure and Availability Zone disruption, and provide redundant replication stream during ongoing replications and long database migrations.


Audit

To determine if your Amazon DMS replication instances are using Multi-AZ configurations, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Database Migration Service dashboard at https://console.aws.amazon.com/dms/.

03 In the left navigation panel, choose Replication instances.

04 Select the AWS DMS replication instance that you want to examine to open the panel with the resource configuration details.

05 Select the Overview tab from the dashboard bottom panel and check the Multi-AZ configuration attribute value. If the attribute value is set to No, the selected Amazon DMS replication instance is not running within a Multi-AZ environment, therefore the DMS resource configuration is not fault-tolerant.

06 Repeat step no. 4 and 5 for each AWS DMS replication instance provisioned in the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-replication-instances command (OSX/Linux/UNIX) to list the ARNs of all DMS replication instances available in the selected AWS region:

aws dms describe-replication-instances
	--region us-east-1
	--query "ReplicationInstances[*].ReplicationInstanceArn"

02 The command output should return the requested Amazon Resource Name(s):

[
    "arn:aws:dms:us-east-1:123456789012:rep:AABBCCDDAABBCCDDAABBCCDDAA"
]

03 Execute again describe-replication-instances command (OSX/Linux/UNIX) using the ARN of the DMS replication instance that you want to examine as identifier and custom query filters to determine the Multi-AZ configuration status for the selected replication instance:

aws dms describe-replication-instances
	--region us-east-1
	--filters Name=replication-instance-arn,Values=arn:aws:dms:us-east-1:123456789012:rep:AABBCCDDAABBCCDDAABBCCDDAA
	--query "ReplicationInstances[*].MultiAZ"

04 The command output should return the Multi-AZ configuration status:

[
    false
]

If the command output returns false, as shown in the example above, the Multi-AZ feature is not enabled, therefore the selected Amazon Database Migration Service replication instance does not have a fault tolerant configuration.

05 Repeat step no. 3 and 4 for each AWS DMS replication instance available within the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To update your Amazon DMS replication instances configuration in order to enable Multi-AZ deployment, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Database Migration Service (DMS) dashboard at https://console.aws.amazon.com/dms/.

03 In the left navigation panel, choose Replication instances.

04 Select the AWS DMS replication instance that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Modify button from the dashboard top menu to access the resource configuration panel.

06 On the Modify Replication Instance page, select Yes from the Multi-AZ dropdown menu to enable the feature.

07 Select Apply changes immediately to apply your changes immediately. With this option any pending modifications will be asynchronously applied, regardless of the maintenance window setting for the selected replication instance. If Apply changes immediately checkbox is not selected, your changes will be applied during the next scheduled maintenance window.

08 Click Modify to apply the configuration changes.

09 Repeat steps no. 4 – 8 to enable the Multi-AZ feature for other Amazon DMS replication instances available in the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-replication-instance command (OSX/Linux/UNIX) to enable Multi-AZ deployment for the selected Amazon DMS replication instance (see Audit section part II to identify the right DMS resource). The following command example is using the --apply-immediately parameter to apply the configuration changes asynchronously, as fast as possible. If you add --no-apply-immediately parameter to the command request, the DMS service will apply your configuration changes during the next maintenance window:

aws dms modify-replication-instance
	--region us-east-1
	--replication-instance-arn arn:aws:dms:us-east-1:123456789012:rep:AABBCCDDAABBCCDDAABBCCDDAA
	--multi-az
	--apply-immediately

02 The command output should return the metadata for the modified AWS DMS replication instance:

{
    "ReplicationInstance": {
        "MultiAZ": true,
        "AvailabilityZone": "us-east-1a",
        "ReplicationInstancePrivateIpAddress": "172.31.17.56",
        "ReplicationInstanceClass": "dms.t2.medium",
        "AutoMinorVersionUpgrade": true,
        "ReplicationInstanceStatus": "available",
        
        ...
 
        "InstanceCreateTime": 1548256625.342,
        "AllocatedStorage": 100,
        "EngineVersion": "3.1.2",
        "ReplicationInstanceIdentifier": "cc-database-replicator",
        "PubliclyAccessible": true,
        "PreferredMaintenanceWindow": "tue:08:46-tue:09:16",
    }
}

03 Repeat step no. 1 and 2 to enable the Multi-AZ feature for other Amazon DMS replication instances available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.

References