Check if RDS Clusters Are Protected by a Backup Plan

Overview

This check verifies that your Amazon RDS database clusters are protected by an AWS Backup plan. AWS Backup provides centralized, automated backup management across AWS services, ensuring your databases are regularly backed up according to defined schedules and retention policies.

Risk

Without a backup plan protecting your RDS clusters:

• Data loss: Accidental deletion, corruption, or ransomware attacks may become unrecoverable
• Extended downtime: Recovering from incidents without backups can take significantly longer
• Compliance violations: Many regulatory frameworks require documented backup procedures
• Business impact: Critical data loss can result in significant operational and financial consequences

Remediation Steps

Prerequisites

• AWS account access with permissions to manage AWS Backup and IAM roles
• Identify which RDS clusters need backup protection

Required IAM permissions

To configure AWS Backup for RDS clusters, you need permissions including:

• backup:CreateBackupPlan
• backup:CreateBackupSelection
• backup:CreateBackupVault
• iam:CreateRole
• iam:AttachRolePolicy
• iam:PassRole

The AWS managed policy AWSBackupFullAccess includes these permissions.

AWS Console Method

1. Open AWS Backup: Go to the AWS Backup console

2. Enable RDS in AWS Backup settings (if not already enabled):

   • In the left navigation, click Settings
   • Under "Service opt-in", ensure RDS is enabled
   • Click Configure resources if you need to enable it

3. Create a backup plan:

   • Click Backup plans in the left navigation
   • Click Create backup plan
   • Choose Build a new plan (or use a template)
   • Enter a name like rds-cluster-backup-plan
   • Add a backup rule:
     • Rule name: DailyBackup
     • Backup vault: Select an existing vault or create new
     • Backup frequency: Daily
     • Backup window: Use defaults or customize
     • Retention period: 35 days (adjust based on your requirements)
   • Click Create plan

4. Assign RDS clusters to the plan:

   • On your backup plan page, click Assign resources
   • Enter a resource assignment name like rds-clusters
   • For IAM role, select Default role or choose an existing backup role
   • Under "Resource selection":
     • Choose Include specific resource types
     • Select RDS from the dropdown
     • Choose All clusters or select specific clusters
   • Click Assign resources

5. Verify the assignment: Your RDS clusters should now appear in the backup plan's resource assignments

AWS CLI

Step 1: Create or identify a backup plan

If you need to create a new backup plan:

aws backup create-backup-plan \
  --region us-east-1 \
  --backup-plan '{
    "BackupPlanName": "rds-cluster-backup-plan",
    "Rules": [{
      "RuleName": "DailyBackup",
      "TargetBackupVaultName": "Default",
      "ScheduleExpression": "cron(0 5 ? * * *)",
      "StartWindowMinutes": 60,
      "CompletionWindowMinutes": 120,
      "Lifecycle": {
        "DeleteAfterDays": 35
      }
    }]
  }'

Note the BackupPlanId from the output.

Step 2: Create a backup selection to assign RDS clusters

Replace <backup-plan-id> with your backup plan ID and <account-id> with your AWS account ID:

aws backup create-backup-selection \
  --region us-east-1 \
  --backup-plan-id <backup-plan-id> \
  --backup-selection '{
    "SelectionName": "rds-clusters",
    "IamRoleArn": "arn:aws:iam::<account-id>:role/service-role/AWSBackupDefaultServiceRole",
    "Resources": ["arn:aws:rds:*:*:cluster:*"]
  }'

Alternative: Assign specific clusters by tag

To back up only clusters with a specific tag (e.g., backup=enabled):

aws backup create-backup-selection \
  --region us-east-1 \
  --backup-plan-id <backup-plan-id> \
  --backup-selection '{
    "SelectionName": "tagged-rds-clusters",
    "IamRoleArn": "arn:aws:iam::<account-id>:role/service-role/AWSBackupDefaultServiceRole",
    "ListOfTags": [{
      "ConditionType": "STRINGEQUALS",
      "ConditionKey": "backup",
      "ConditionValue": "enabled"
    }]
  }'

CloudFormation

This template creates a complete backup solution for RDS clusters:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Backup plan for RDS clusters

Parameters:
  BackupVaultName:
    Type: String
    Default: Default
    Description: Name of the backup vault to store backups

Resources:
  RDSBackupPlan:
    Type: AWS::Backup::BackupPlan
    Properties:
      BackupPlan:
        BackupPlanName: rds-cluster-backup-plan
        BackupPlanRule:
          - RuleName: DailyBackup
            TargetBackupVault: !Ref BackupVaultName
            ScheduleExpression: cron(0 5 ? * * *)
            StartWindowMinutes: 60
            CompletionWindowMinutes: 120
            Lifecycle:
              DeleteAfterDays: 35

  RDSBackupRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AWSBackupRDSRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: backup.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores

  RDSBackupSelection:
    Type: AWS::Backup::BackupSelection
    Properties:
      BackupPlanId: !Ref RDSBackupPlan
      BackupSelection:
        SelectionName: rds-clusters
        IamRoleArn: !GetAtt RDSBackupRole.Arn
        Resources:
          - arn:aws:rds:*:*:cluster:*

Outputs:
  BackupPlanId:
    Description: ID of the created backup plan
    Value: !Ref RDSBackupPlan
  BackupPlanArn:
    Description: ARN of the created backup plan
    Value: !GetAtt RDSBackupPlan.BackupPlanArn

Deploy the stack:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file rds-backup-plan.yaml \
  --stack-name rds-cluster-backup \
  --capabilities CAPABILITY_NAMED_IAM

Terraform

variable "backup_vault_name" {
  description = "Name of the backup vault"
  type        = string
  default     = "Default"
}

variable "retention_days" {
  description = "Number of days to retain backups"
  type        = number
  default     = 35
}

# IAM role for AWS Backup
resource "aws_iam_role" "backup_role" {
  name = "AWSBackupRDSRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "backup.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "backup_policy" {
  role       = aws_iam_role.backup_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
}

resource "aws_iam_role_policy_attachment" "restore_policy" {
  role       = aws_iam_role.backup_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores"
}

# Backup plan for RDS clusters
resource "aws_backup_plan" "rds_clusters" {
  name = "rds-cluster-backup-plan"

  rule {
    rule_name         = "DailyBackup"
    target_vault_name = var.backup_vault_name
    schedule          = "cron(0 5 ? * * *)"
    start_window      = 60
    completion_window = 120

    lifecycle {
      delete_after = var.retention_days
    }
  }
}

# Backup selection to include all RDS clusters
resource "aws_backup_selection" "rds_clusters" {
  name         = "rds-clusters"
  plan_id      = aws_backup_plan.rds_clusters.id
  iam_role_arn = aws_iam_role.backup_role.arn

  resources = [
    "arn:aws:rds:*:*:cluster:*"
  ]
}

output "backup_plan_id" {
  description = "ID of the created backup plan"
  value       = aws_backup_plan.rds_clusters.id
}

output "backup_plan_arn" {
  description = "ARN of the created backup plan"
  value       = aws_backup_plan.rds_clusters.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After implementing the backup plan:

1. Check in AWS Console:

   • Go to AWS Backup > Protected resources
   • Filter by resource type RDS
   • Verify your clusters appear with a backup plan assigned

2. Re-run the Prowler check:

   prowler aws --check rds_cluster_protected_by_backup_plan --region us-east-1

CLI verification commands

List all backup plans:

aws backup list-backup-plans --region us-east-1

View resources assigned to a specific backup plan:

aws backup list-backup-selections \
  --region us-east-1 \
  --backup-plan-id <backup-plan-id>

List protected RDS resources:

aws backup list-protected-resources \
  --region us-east-1 \
  --query "Results[?ResourceType=='RDS']"

Additional Resources

• AWS Backup Developer Guide
• Working with RDS in AWS Backup
• AWS Backup pricing
• Creating a backup plan

Notes

• Cost considerations: AWS Backup charges for backup storage and data transfer. Review pricing before implementing.

• Existing RDS automated backups: RDS clusters have their own automated backup feature. AWS Backup provides additional benefits including centralized management, cross-account/cross-region copies, and longer retention options.

• Backup vault lock: For enhanced protection against ransomware, consider enabling vault lock to make backups immutable.

• Recovery testing: Regularly test your backup recovery procedures to ensure your RPO (Recovery Point Objective) and RTO (Recovery Time Objective) requirements are met.

• Multi-region protection: For disaster recovery, consider configuring cross-region backup copies in your backup plan rules.

• Compliance frameworks: This check maps to requirements in C5, CCC, KISA-ISMS-P, NIS2, and PCI frameworks.