Protect Your Amazon RDS

Once you have registered your AWS account, you are ready to protect the RDS of your AWS account. You can protect the RDS using either the AWS Snapshot protection method or the Cohesity Ingest protection method.

  • With the AWS Snapshot protection method, Cohesity protects the RDS of your AWS account at the instance level.

  • With the Amazon RDS Ingest protection method, Cohesity protects the RDS of your AWS account at the database level.

    To protect the RDS of your AWS account at the database level using the Amazon RDS Ingest method, you must provide the credentials of the RDS instance while creating the protection. By providing the credentials, Cohesity discovers the databases as objects for protection. For the list of supported RDS databases for protection, see supported-software-dataprotect.htm.

    Cohesity performs only full backups of RDS using the Amazon RDS Ingest method. Incremental backup is not supported in the Amazon RDS Ingest method.

If you have already registered your AWS account to protect AWS S3 or AWS EC2 workloads, then you must Update the Existing CloudFormation Template to update the Cohesity permissions in your AWS account.

For information on the prerequisites and considerations, see AWS Ports and Account Requirements and Considerations.

To protect your Amazon RDS:

  1. In DataProtect as a Service, navigate to Sources.

  2. Find the registered AWS account and click into it.

  3. Click the RDS: Aurora + Postgres tab.

  4. Click the Hierarchy View icon located at the right corner of the page.

  5. Perform one of the following steps based on the protection type method you prefer:

    • AWS Snapshot method:

      1. Use the checkboxes to select the RDS instances for protection. You can also select the RDS instances at various hierarchy levels (AWS account level, region, and availability zone) by selecting Select All Child Objects, provided the instances are of the same type at the level you select for protection.

      2. Optionally, you can auto-protect the RDS instances at various hierarchy levels- account level, AWS region level, or Availability zone level. The auto-protect option enables you to automatically protect the new RDS instances that are added.

        • To auto-protect the RDS instances at AWS account-level, select the checkbox of the AWS account, and then select Auto Protect This AWS.

        • To auto-protect the RDS instances at the AWS region level, select the checkbox of the region, and then select Auto Protect This Region.

        • To auto-protect the RDS instances at the AWS availability zone level, select the checkbox of the availability zone, and then select Auto Protect This Availability Zone.

      3. Click the Protect icon above the checkboxes.

        In the New Protection dialog, the AWS Snapshot-based policy is enabled by default. Create or select an existing policy from the Policy(AWS Snapshot) drop-down.

    • Amazon RDS Ingest method:

      1. Select the RDS instance having the databases to protect. You can also select the RDS instances at various hierarchy levels- AWS account level, region, and availability zone by selecting Select All Child.

      2. Click Database Credentials above the checkboxes.

        The Backup Database Credentials page appears.

      3. Click + Add Credential.

      4. Select the Type of database you want to discover for protection:

        • PostgreSQL

        • Aurora PostgreSQL

      5. Select one of the following authentication methods:

        • Credentials: Enter the Username, and Enter Password for the RDS instance.

        • IAM Authentication: Enter the Username for IAM authentication.

          Ensure the username you provide has the following permissions:

          • GRANT rds_iam TO <username>

          • GRANT pg_read_all_data TO <username>

          • GRANT pg_write_all_data TO <username>

          • ALTER USER <username> CREATEDB

        • Kerberos Authentication: Enter the Username, Enter Password, Real Name, Active Directory DNS Address.

          Ensure the username you provide has the following permissions:

          • GRANT rds_ad TO <username>

          • GRANT pg_read_all_data TO <username>

          • GRANT pg_write_all_data TO <username>

          • ALTER USER <username> CREATEDB

      6. Click Add Credentials and follow the two steps above to discover a database of a different type.

      7. Click Save.

      8. Optionally, you can auto-protect databases of the RDS instances. The auto-protect option enables you to automatically protect the new RDS databases that are added. To auto-protect the database, click the checkbox of the RDS instance. Depending on the databases on the RDS instance, one of the following options is displayed.

        • Auto Protect This RDS: If the databases on the RDS instances are PostgreSQL.

        • Auto Protect This Aurora Cluster: If the databases on the RDS instances are Aurora.

      9. Click the Protect icon above the checkboxes.

        In the New Protection dialog, the Cohesity ingest-based policy is enabled by default. Create or select an existing policy from the Policy(Cohesity Ingest) drop-down.

    If you are protecting RDS instances with discovered databases, both the AWS snapshot and Cohesity Ingest policy options will be available. Depending on the policy you choose, the RDS instances will be protected either at the instance level or at the database level. If you select both policies, the RDS instances will be protected at both the instance level and the database level.

  6. To change or configure any of the additional settings, select More Options and perform the below steps or else, click Protect.

  7. Under Settings, edit the Start Time if necessary.

  8. Under Additional Settings, configure the following option:

    • Cancel Runs at Quiet Time Start: (Available only if the selected policy has at least one Quiet Time) When enabled, all the protection runs that are currently executing will cancel when the Quiet Time period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues to execute even when a Quiet Time period starts. However, new protection runs will not start during a Quiet Time.

  9. Click Protect.