Skip to main content

🛡️ AWS RDS Cluster Backup Retention Period is less than 7 days🟢

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS DB clusters that retain automated backups for fewer than 7 days.

Automated backups support point-in-time recovery and help restore cluster-based database services after accidental changes, data corruption, operational mistakes, or service disruption. A short retention window reduces the number of recent restore points that are available when an incident occurs.

Rationale

Maintaining at least 7 days of backup retention improves resilience by preserving a sufficient recovery window for investigation, rollback, and restoration activities. This is particularly important for business-critical database workloads where recovery objectives depend on having recent restore points readily available.

Impact

Increasing the backup retention period can increase backup storage costs. Organizations should balance retention costs against recovery requirements, data criticality, and internal resilience standards.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT when the Backup Retention Period is less than 7 days.

... see more

Remediation

Open File

Remediation

Set Backup Retention to at Least 7 Days

Update the affected cluster configuration to retain automated backups for at least 7 days.

From Command Line
Amazon RDS DB Clusters

Use the following AWS CLI command for Aurora DB clusters and RDS Multi-AZ MySQL or PostgreSQL DB clusters:

aws rds modify-db-cluster \
    --db-cluster-identifier {{db-cluster-id}} \
    --backup-retention-period 7 \
    --apply-immediately
Amazon DocumentDB Clusters
aws docdb modify-db-cluster \
    --db-cluster-identifier {{db-cluster-id}} \
    --backup-retention-period 7 \
    --apply-immediately
Amazon Neptune DB Clusters
aws neptune modify-db-cluster \
    --db-cluster-identifier {{db-cluster-id}} \
    --backup-retention-period 7 \
    --apply-immediately

Use a higher value if your organization's backup policy requires a longer recovery window. If you prefer to defer the change until the next maintenance window, replace --apply-immediately with --no-apply-immediately where supported by the service.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.5] Neptune DB clusters should have automated backups enabled1no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery23no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)8no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)8no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)8no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained8no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles28no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention38no data
💼 PCI DSS v3.2.1 → 💼 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies.1no data
💼 PCI DSS v4.0.1 → 💼 3.2.1 Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.1no data
💼 PCI DSS v4.0 → 💼 3.2.1 Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.1no data