Ensure that your Amazon RDS instances are using the Multi-AZ deployment configuration for high availability and automatic failover support, fully managed by AWS. Multi-AZ creates a standby in a different Availability Zone (AZ) to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups.
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When Multi-AZ is enabled, Amazon RDS automatically provision and maintain a synchronous database standby replica on a dedicated hardware in a different Availability Zone. The RDS service will automatically switch from the primary instance to the available standby replica in the event of a failure such as an Availability Zone outage, an internal hardware or network outage, a software failure, or in case of planned interruptions such as software patching or changing the database instance type.
Audit
To determine if your Amazon RDS instances are using the Multi-AZ configuration, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Databases.
04 Click on the name (link) of the Amazon RDS database instance that you want to examine. To identify RDS database instances, check the resource role available in the Role column (i.e. Instance).
05 Select the Configuration tab and check the Multi-AZ configuration attribute value. If the Multi-AZ attribute value is set to No, the Multi-AZ feature is not enabled for the selected Amazon RDS database instance, therefore the database is not using a Multi-AZ deployment configuration for reliability.
06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the names of the Amazon RDS database instances provisioned in the selected AWS region:
aws rds describe-db-instances --region us-east-1 --output table --query 'DBInstances[*].DBInstanceIdentifier'
02 The command output should return a table with the requested database instance names:
-------------------------------- | DescribeDBInstances | +------------------------------+ | cc-project5-mysql-database | | cc-prod-postgres-database | +------------------------------+
03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the Amazon RDS database instance that you want to examine as the identifier parameter and custom query filters to determine if the selected database instance is using a Multi-AZ deployment configuration:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier cc-project5-mysql-database --query 'DBInstances[*].MultiAZ'
04 The command output should return the Multi-AZ feature status available for the selected instance:
[ false ]
If the describe-db-instances command output returns false, as shown in the output example above, the Multi-AZ feature is not enabled for the selected Amazon RDS database instance, therefore the database is not using a Multi-AZ deployment configuration for reliability.
05 Repeat steps no. 3 and 4 for each Amazon RDS database instance available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To enable the Multi-AZ deployment for your existing Amazon RDS database instances, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Enable Multi-AZ for RDS Database Instances", "Parameters": { "DBInstanceName": { "Default": "mysql-database-instance", "Description": "RDS database instance name", "Type": "String", "MinLength": "1", "MaxLength": "63", "AllowedPattern": "^[0-9a-zA-Z-/]*$", "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens." }, "DBInstanceClass": { "Default": "db.t2.micro", "Description": "DB instance class/type", "Type": "String", "ConstraintDescription": "Must provide a valid DB instance type." }, "DBAllocatedStorage": { "Default": "20", "Description": "The size of the database (GiB)", "Type": "Number", "MinValue": "20", "MaxValue": "65536", "ConstraintDescription": "Must be between 20 and 65536 GiB." }, "DBName": { "Default": "mysqldb", "Description": "Database name", "Type": "String", "MinLength": "1", "MaxLength": "64", "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." }, "DBUsername": { "Description": "Master username for database access", "Type": "String", "MinLength": "1", "MaxLength": "16", "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." }, "DBPassword": { "NoEcho": "true", "Description": "Password for database access", "Type": "String", "MinLength": "8", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "Must contain only alphanumeric characters." } }, "Resources": { "RDSInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBInstanceIdentifier": { "Ref": "DBInstanceName" }, "DBName": { "Ref": "DBName" }, "MasterUsername": { "Ref": "DBUsername" }, "MasterUserPassword": { "Ref": "DBPassword" }, "DBInstanceClass": { "Ref": "DBInstanceClass" }, "AllocatedStorage": { "Ref": "DBAllocatedStorage" }, "Engine": "MySQL", "EngineVersion": "5.7.36", "MultiAZ": true } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Enable Multi-AZ for RDS Database Instances Parameters: DBInstanceName: Default: mysql-database-instance Description: RDS database instance name Type: String MinLength: '1' MaxLength: '63' AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens. DBInstanceClass: Default: db.t2.micro Description: DB instance class/type Type: String ConstraintDescription: Must provide a valid DB instance type. DBAllocatedStorage: Default: '20' Description: The size of the database (GiB) Type: Number MinValue: '20' MaxValue: '65536' ConstraintDescription: Must be between 20 and 65536 GiB. DBName: Default: mysqldb Description: Database name Type: String MinLength: '1' MaxLength: '64' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBUsername: Description: Master username for database access Type: String MinLength: '1' MaxLength: '16' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: 'true' Description: Password for database access Type: String MinLength: '8' MaxLength: '41' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Must contain only alphanumeric characters. Resources: RDSInstance: Type: AWS::RDS::DBInstance Properties: DBInstanceIdentifier: !Ref 'DBInstanceName' DBName: !Ref 'DBName' MasterUsername: !Ref 'DBUsername' MasterUserPassword: !Ref 'DBPassword' DBInstanceClass: !Ref 'DBInstanceClass' AllocatedStorage: !Ref 'DBAllocatedStorage' Engine: MySQL EngineVersion: 5.7.36 MultiAZ: true
Using Terraform
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.27" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_db_instance" "rds-database-instance" { allocated_storage = 20 engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mysqldb" username = "ccmysqluser01" password = "ccmysqluserpwd" parameter_group_name = "default.mysql5.7" # Enable Multi-AZ for RDS Database Instances multi_az = true apply_immediately = true }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Databases.
04 Select the Amazon RDS database instance that you want to reconfigure and choose Modify.
05 On the Modify DB instance: <instance-name> configuration page, perform the following actions:
- In the Availability & durability section, under Multi-AZ deployment, choose Create a standby instance (recommended for production usage) to enable the Multi-AZ deployment for the selected Amazon RDS database instance. Note that you may experience a significant performance impact when converting your database instance to a Multi-AZ configuration. This impact will be more noticeable on database instances with large amounts of storage and write-intensive workloads.
- Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.
- In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:
- Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
- Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected Amazon RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application.
- Choose Modify DB instance to apply the configuration changes.
06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available in the selected AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run modify-db-instance command (OSX/Linux/UNIX) to convert the selected Amazon RDS database instance to a Multi-AZ configuration by adding the --multi-az parameter to the command request. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application. If you skip adding the --apply-immediately parameter to the command request, Amazon RDS will apply your changes during the next maintenance window. Your database application may experience a significant performance impact when converting your database instance to a Multi-AZ configuration. This impact will be more noticeable on database instances with large amounts of storage and write-intensive workloads:
aws rds modify-db-instance --region us-east-1 --db-instance-identifier cc-project5-mysql-database --multi-az --apply-immediately
02 The command output should return the configuration metadata for the modified database instance:
{ "DBInstance": { "PubliclyAccessible": true, "MasterUsername": "ccadmin", "MonitoringInterval": 0, "LicenseModel": "general-public-license", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-0abcd1234abcd1234" }, { "Status": "active", "VpcSecurityGroupId": "sg-abcd1234" } ], "InstanceCreateTime": "2021-05-12T08:00:00.677Z", "CopyTagsToSnapshot": true, "OptionGroupMemberships": [ { "Status": "in-sync", "OptionGroupName": "default:mysql-5-7" } ], "PendingModifiedValues": { "MultiAZ": true }, "Engine": "mysql", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.mysql5.7", "ParameterApplyStatus": "in-sync" } ], "PerformanceInsightsEnabled": true, "AutoMinorVersionUpgrade": true, "PreferredBackupWindow": "06:02-06:32", "DBSubnetGroup": { "Subnets": [ { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1d" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1e" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcdabcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1b" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-12341234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1a" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1f" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1c" } } ], "DBSubnetGroupName": "default-vpc-abcdabcd", "VpcId": "vpc-abcdabcd", "DBSubnetGroupDescription": "Created from the AWS Management Console", "SubnetGroupStatus": "Complete" }, "ReadReplicaDBInstanceIdentifiers": [], "AllocatedStorage": 70, "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database", "BackupRetentionPeriod": 0, "PreferredMaintenanceWindow": "thu:03:27-thu:03:57", "Endpoint": { "HostedZoneId": "ABCDABCDABCD", "Port": 3306, "Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com" }, "DBInstanceStatus": "available", "IAMDatabaseAuthenticationEnabled": true, "EngineVersion": "5.7.30", "DeletionProtection": true, "AvailabilityZone": "us-east-1a", "DomainMemberships": [], "StorageType": "gp2", "DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB", "CACertificateIdentifier": "rds-ca-2019", "StorageEncrypted": true, "AssociatedRoles": [], "DBInstanceClass": "db.t3.medium", "DbInstancePort": 0, "DBInstanceIdentifier": "cc-project5-mysql-database" } }
03 Repeat steps no. 1 and 2 for each Amazon RDS database instance available in the selected AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon RDS FAQs
- Amazon RDS Multi-AZ
- Multi-AZ deployments for high availability
- What is Amazon Relational Database Service (Amazon RDS)?
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-clusters
- modify-db-cluster
- AWS Blog(s)
- Amazon RDS for SQL Server With Multi-AZ
- CloudFormation Documentation
- Amazon Relational Database Service resource type reference
- Terraform Documentation
- AWS Provider
Related RDS rules
- Security Groups Events Subscriptions (Reliability, performance-efficiency, operational-excellence)
- Enable Serverless Log Exports (Security, reliability, performance-efficiency, operational-excellence)
- Instance Level Events Subscriptions (Reliability, performance-efficiency, operational-excellence)
- RDS Sufficient Backup Retention Period (Reliability)