Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DB Instance Generation

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-009

Ensure that all the Amazon RDS databases instances provisioned within your AWS account are using the latest generation of instance classes in order to get the best performance with lower costs. If you are using database instances from the previous generation, Trend Micro Cloud One™ – Conformity strongly recommends that you upgrade your instances with their latest generation equivalents.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency
Cost
optimisation

Using the latest generation of Amazon RDS database instances instead of the previous generation instances has tangible benefits such as better hardware performance (more computing capacity and faster CPUs, memory optimization and higher network throughput), better support for latest database engines versions, and lower costs for memory and storage.

Audit

To determine if there are any Amazon RDS database instances from the previous generation available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the RDS database instance that you want to examine. To identify RDS database instances, check the database role available in the Role column (i.e. Instance).

05 Select the Configuration tab and check the Instance class attribute value to determine if the database instance is using an instance type/class from a previous generation. If the instance type used for the selected Amazon RDS database instance is from the previous generation, the instance type/class should be listed on this page.

06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the names of the Amazon RDS database instances provisioned in the selected AWS region: 

aws rds describe-db-instances
  --region us-east-1
  --output table
  --query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database instance names: 

--------------------------------
|     DescribeDBInstances      |
+------------------------------+
|  cc-project5-mysql-database  |
|  cc-prod-postgres-database   |
+------------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the Amazon RDS database instance that you want to examine as the identifier parameter and custom query filters to describe the instance type/class configured for the selected database instance: 

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --query 'DBInstances[*].DBInstanceClass'

04 The command output should return the instance type configured for the selected RDS resource: 

[
    "db.m1.medium"
]

If the instance type used for the selected Amazon RDS database instance, returned by the describe-db-instances command output, is from the previous generation, the instance type/class should be listed on this page.

05 Repeat steps no. 3 and 4 for each Amazon RDS database instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To upgrade your previous generation RDS database instances to their latest generation equivalents, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Upgrade to latest instance generation by updating the DBInstanceClass parameter",
	"Parameters": {
		"DBInstanceName": {
			"Default": "mysql-database-instance",
			"Description": "RDS database instance name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"DBInstanceClass": {
				"Default": "db.t3.medium",
				"Description": "DB instance class/type",
				"Type": "String",
				"ConstraintDescription": "Must provide a valid DB instance type."
		},
		"DBAllocatedStorage": {
			"Default": "20",
			"Description": "The size of the database (GiB)",
			"Type": "Number",
			"MinValue": "20",
			"MaxValue": "65536",
			"ConstraintDescription": "Must be between 20 and 65536 GiB."
		},
		"DBName": {
			"Default": "mysqldb",
			"Description": "Database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
	"RDSInstance": {
		"Type": "AWS::RDS::DBInstance",
		"Properties": {
			"DBInstanceIdentifier": {
				"Ref": "DBInstanceName"
			},
			"DBName": {
				"Ref": "DBName"
			},
			"MasterUsername": {
				"Ref": "DBUsername"
			},
			"MasterUserPassword": {
				"Ref": "DBPassword"
			},
			"DBInstanceClass": {
				"Ref": "DBInstanceClass"
			},
			"AllocatedStorage": {
				"Ref": "DBAllocatedStorage"
			},
			"Engine": "MySQL",
			"EngineVersion": "5.7.36"
		}
	}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Upgrade to latest instance generation by updating the DBInstanceClass parameter
	Parameters:
		DBInstanceName:
		Default: mysql-database-instance
		Description: RDS database instance name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
			or contain two consecutive hyphens.
		DBInstanceClass:
		Default: db.t3.medium
		Description: DB instance class/type
		Type: String
		ConstraintDescription: Must provide a valid DB instance type.
		DBAllocatedStorage:
		Default: '20'
		Description: The size of the database (GiB)
		Type: Number
		MinValue: '20'
		MaxValue: '65536'
		ConstraintDescription: Must be between 20 and 65536 GiB.
		DBName:
		Default: mysqldb
		Description: Database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBUsername:
		Description: Master username for database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBPassword:
		NoEcho: 'true'
		Description: Password for database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
		RDSInstance:
		Type: AWS::RDS::DBInstance
		Properties:
			DBInstanceIdentifier: !Ref 'DBInstanceName'
			DBName: !Ref 'DBName'
			MasterUsername: !Ref 'DBUsername'
			MasterUserPassword: !Ref 'DBPassword'
			DBInstanceClass: !Ref 'DBInstanceClass'
			AllocatedStorage: !Ref 'DBAllocatedStorage'
			Engine: MySQL
			EngineVersion: 5.7.36

Using Terraform

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_db_instance" "rds-database-instance" {
	allocated_storage     = 20
	engine                = "mysql"
	engine_version        = "5.7"

	# Upgrade to latest instance generation by updating the 'instance_class' parameter
	instance_class        = "db.t3.medium"

	name                      = "mysqldb"
	username                  = "ccmysqluser01"
	password                  = "ccmysqluserpwd"
	parameter_group_name      = "default.mysql5.7"

	apply_immediately = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Select the Amazon RDS database instance that you want to upgrade and choose Modify.

05 On the Modify DB instance: <instance-name> page, in the DB instance class section, choose the database instance class that meets your processing power and memory requirements and select the latest generation instance type, equivalent to the previous generation instance type, from the instance type/class dropdown list. See the AWS updated documentation available here and here to make sure that you choose the right instance type for your Amazon RDS database instance.

06 Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.

07 In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application.
  3. Choose Modify DB instance to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each Amazon RDS database instance available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to resize the selected Amazon RDS database instance in order to upgrade it to the latest generation type/class, equivalent to the previous generation instance type. See the AWS updated documentation available here and here to make sure that you choose the right instance type for your Amazon RDS database instance. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your RDS database application. If you skip adding the --apply-immediately parameter to the command request, Amazon RDS will apply your changes during the next maintenance window. The following command request example upgrades the instance type from "db.m1.medium" (previous generation) to "db.t3.medium" (latest generation): 

aws rds modify-db-instance
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --db-instance-class db.t3.medium
  --apply-immediately

02 The command output should return the configuration metadata for the modified database instance: 

{
	"DBInstance": {
		"PubliclyAccessible": false,
		"MasterUsername": "ccadmin",
		"MonitoringInterval": 0,
		"LicenseModel": "general-public-license",
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			},
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-abcd1234"
			}
		],
		"InstanceCreateTime": "2021-05-12T08:00:00.677Z",
		"CopyTagsToSnapshot": true,
		"OptionGroupMemberships": [
			{
				"Status": "in-sync",
				"OptionGroupName": "default:mysql-5-7"
			}
		],
		"PendingModifiedValues": {
			"DBInstanceClass": "db.t3.medium"
		},
		"Engine": "mysql",
		"MultiAZ": false,
		"DBSecurityGroups": [],
		"DBParameterGroups": [
			{
				"DBParameterGroupName": "default.mysql5.7",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"PerformanceInsightsEnabled": true,
		"AutoMinorVersionUpgrade": true,
		"PreferredBackupWindow": "06:02-06:32",
		"DBSubnetGroup": {
			"Subnets": [
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1d"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1e"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcdabcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1b"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-12341234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1a"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-abcd1234",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1f"
					}
				},
				{
					"SubnetStatus": "Active",
					"SubnetIdentifier": "subnet-1234abcd",
					"SubnetOutpost": {},
					"SubnetAvailabilityZone": {
						"Name": "us-east-1c"
					}
				}
			],
			"DBSubnetGroupName": "default-vpc-abcdabcd",
			"VpcId": "vpc-abcdabcd",
			"DBSubnetGroupDescription": "Created from the AWS Management Console",
			"SubnetGroupStatus": "Complete"
		},
		"ReadReplicaDBInstanceIdentifiers": [],
		"AllocatedStorage": 70,
		"DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database",
		"BackupRetentionPeriod": 7,
		"PreferredMaintenanceWindow": "thu:03:27-thu:03:57",
		"Endpoint": {
			"HostedZoneId": "ABCDABCDABCD",
			"Port": 3306,
			"Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com"
		},
		"DBInstanceStatus": "available",
		"IAMDatabaseAuthenticationEnabled": true,
		"EngineVersion": "5.7.30",
		"DeletionProtection": true,
		"AvailabilityZone": "us-east-1a",
		"DomainMemberships": [],
		"StorageType": "gp2",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB",
		"CACertificateIdentifier": "rds-ca-2019",
		"StorageEncrypted": true,
		"AssociatedRoles": [],
		"DBInstanceClass": "db.t3.medium",
		"DbInstancePort": 0,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

03 Repeat steps no. 1 and 2 for each Amazon RDS database instance available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date May 5, 2016

Related RDS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

DB Instance Generation

Risk Level: Medium