RDS-003 RDS instance idle

Risk level: High

Rule ID: RDS-003

Any RDS Instance that appear to be idle must be identified and deleted to lower your AWS Monthly Bill. nOps recommends that RDS instance is considered 'idle' when meets the following criteria (to declare the instance 'idle' both conditions must be true):

  • The average number of database connections have been 0 for the last 7 days.

The AWS CloudWatch metrics used to detect idle RDS instances are:

  • DatabaseConnections - the number of RDS database connections in use (Units: Count).

This rule can help you work with the AWS Well-Architected Framework

You must check for idle instances regularly and terminate them in order to avoid unnecessary charges in your AWS Monthly bill.

However, it is important to consider the following things:

  • Backup your RDS databases before termination because once these instances are deleted, all their automated backups (snapshots) will be permanently lost.
  • It is important to know the role and the owner of an AWS RDS instance before you take the decision to remove it from your account. Hence , we assume that RDS instances are properly tagged to provide you this information.
  • Ensure that the RDS instance your are terminating is not used in an Application Stack

Audit

To identify any idle RDS database instances currently available within your AWS account, perform the following:

 

Using AWS Console

1. Log in to the AWS Management Console.
 
2. Navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
 
3. In the navigation panel, under RDS Dashboard, click DB Instances.
 
4. Select the RDS Instance that you want to examine.
 
5. Click the Monitoring tab from all tabs.
 
6. On the monitoring panel displayed for the selected instance, perform the following actions:
 
a. Click on DB Connections (Count) usage graph thumbnail . This will open the database connection usage details. Set the following parameters:

  • From the Statistic dropdown list, select Average.
  • From the Time Range list, select Last 1 Week.
  • From the Period dropdown list, select 1 Hour.

b. Once the monitoring data is loaded, verify the number of database connections for the last 1 week. If the average usage (count) have been 0 for the last 7 days, the selected RDS instance qualifies as candidate for the idle instance. Click the x (close) icon to return to the dashboard.


 
7. No click on Tags tab to examine the tags attached to the instance. This would help you to determine the role and owner of the Instance to decide whether it's safe or not to terminate it.
 
8. Repeat steps no. 4 – 7 to verify the DatabaseConnections metrics within the selected time frame and Tags for the rest of the RDS instances provisioned in the current region.
 
9. Change the AWS region from the navigation bar and repeat the audit process for the other regions.
 

Using AWS CLI

1. Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the identifiers of all the existing RDS instances available in the selected region:

aws rds describe-db-instances \\
	--region us-east-1 \\
	--query 'DBInstances[*].DBInstanceIdentifier'

 
2. The command output should return a list of the Database Identifiers in the region:

[
    "database-2-instance-1",
    "database-wordpress",
    "exampledb"
]

 
3. Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the DatabaseConnections metric, representing the number of RDS database connections in use.

a. Change the --start-time (start recording date) and --end-time (stop recording date) parameters to select a time range.

b. Set the --period parameter value to define the granularity based on your requirements. A period can be as short as one minute (60 seconds) or as long as one day (86400 seconds).

The following example returns the average database connections usage of an AWS RDS instance identified by the the name exampledb, during a 7 days period using 1 hour granularity:

aws cloudwatch get-metric-statistics \\
	--region us-east-1 \\
	--metric-name DatabaseConnections \\
	--start-time 2021-09-10T00:00:00 \\
	--end-time 2021-09-17T00:00:00 \\
	--period 3600 \\
	--namespace AWS/RDS \\
	--statistics Average \\
	--dimensions Name=DBInstanceIdentifier,Value=exampledb

 
4. The command output should return the DatabaseConnections usage details as shown below:

{
    "Label": "DatabaseConnections",
    "Datapoints": [
        {
            "Timestamp": "2021-09-12T15:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-15T22:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-11T06:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-14T13:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
				...
				{
            "Timestamp": "2021-09-15T21:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-11T05:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-14T12:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        }
    ]
}

If the average number of database connections have been 0 for the last 7 days, the selected RDS instance qualifies as an idle instance.
 
5. The command output should return the DatabaseConnections usage details as shown below:

{
    "Label": "DatabaseConnections",
    "Datapoints": [
        {
            "Timestamp": "2021-09-12T15:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-15T22:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-11T06:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-14T13:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
				...
				{
            "Timestamp": "2021-09-15T21:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-11T05:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2021-09-14T12:00:00+00:00",
            "Average": 0.0,
            "Unit": "Count"
        }
    ]
}

If the average number of database connections have been 0 for the last 7 days, the selected RDS instance qualifies as an idle instance.
 
5. Run list-tags-for-resource command (OSX/Linux/UNIX) to list the existing tags for the selected RDS instance and determine it's role and owner (We assume that the tags have been applied correctly while provisioning RDS instance)

aws rds list-tags-for-resource \\
	--region us-east-1 \\
	--resource-name arn:aws:rds:us-east-1:695292474035:db:exampledb

 
6. The command output would return the tags (key-value pairs) applied to the instance.

{
    "TagList": [
        {
            "Key": "Role",
            "Value": "Example"
        },
        {
            "Key": "Owner",
            "Value": "nOps"
        }
    ]
}

 
7. The Role and Owner tags values can be used to determine the instance role and contact its owner for more information. After this, you can decide whether it is safe to terminate this RDS instance or not.
 
8. Repeat steps no. 3 - 7 to verify the DatabaseConnections metrics usage within the specified time frame for the rest of the RDS instances available in the current region.
 
9. Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the audit process for other regions.
 

Remediation / Resolution

To terminate (delete) any AWS RDS instances that are currently running in idle mode, perform the following actions:

 

Using AWS Console

1. Log in to the AWS Management Console.
 
2. Navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
 
3. In the navigation panel, under RDS Dashboard, click DB Instances.
 
4. Select the idle RDS Instance that you want to examine.
 
5. Click Actions dropdown on the top-right corner and select Delete
 
6. On the confirmation page, select the checkbox to create a final snapshot, enter a unique name of the final snapshot and type delete me in the confirmation text box


 
7. Click the Delete button to terminate the instance.
 
8. Repeat steps no. 4 - 7 to delete any other idle RDS instances provisioned within the current region.
 
9. Change the AWS region from the navigation bar and repeat the process for other regions.
 

Using AWS CLI

1. Run delete-db-instance command (OSX/Linux/UNIX) using the the DB identifier and a unique name for your final snapshot as follows:

aws rds delete-db-instance \\
	--region us-east-1 \\
	--db-instance-identifier exampledb \\
	--no-skip-final-snapshot \\
	--final-db-snapshot-identifier exampledb-final-snapshot

 
2. The command output should return the metadata of the RDS instance as shown below:

{
    "DBInstance": {
        "DBInstanceIdentifier": "exampledb",
        "DBInstanceClass": "db.t2.micro",
        "Engine": "mysql",
        **"DBInstanceStatus": "deleting",**
        "MasterUsername": "exampleuser",
        "DBName": "exampledb",

        ...

        "TagList": [
            {
                "Key": "Role",
                "Value": "Example"
            },
            {
                "Key": "Owner",
                "Value": "nOps"
            }
        ],
        "CustomerOwnedIpEnabled": false
    }
}

 
3. Repeat step no. 1 and 2 to terminate any other idle RDS instances available in the current region.
 
4. Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.
 

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.