🛡️ AWS RDS Instance automated backups are not enabled🟢

• Contextual name: 🛡️ Instance automated backups are not enabled🟢
• ID: /ce/ca/aws/rds/instance-automated-backups
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Instance
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.11] RDS instances should have automatic backups enabled

Description

Open File

Description

Ensure that Amazon Relational Database Service (RDS) instances have automated backups enabled.

Automated backups allow you to recover your database to any point in time within your specified retention period (up to 35 days). When automated backups are enabled, RDS automatically performs a full daily snapshot of your data (during your preferred backup window) and captures transaction logs (as updates to your DB instance are made).

Rationale

Disabling automated backups eliminates the ability to perform point-in-time recovery. In the event of data corruption, accidental deletion, or hardware failure, you may lose critical data if recent backups are not available.

Audit

This policy flags an AWS RDS Instance as INCOMPLIANT if the Backup Retention Period is set to 0.

Remediation

Open File

Remediation

Enable Automated Backups

From Command Line

To enable automated backups for an RDS instance, use the modify-db-instance command. Specify the desired retention period in days (up to 35) and apply the change immediately if appropriate:

aws rds modify-db-instance \
    --db-instance-identifier {{db-instance}} \
    --backup-retention-period 3 \
    --apply-immediately

For Multi-AZ DB clusters, use the modify-db-cluster command instead:

aws rds modify-db-cluster \
    --db-cluster-identifier {{db-cluster}} \
    --backup-retention-period 3 \
    --apply-immediately

You can include either the --apply-immediately flag to apply changes right away, or --no-apply-immediately to defer the update until the next maintenance window.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.11] RDS instances should have automatic backups enabled			1		no data
💼 AWS Well-Architected → 💼 REL09-BP01 Identify and back up all data that needs to be backed up, or reproduce the data from sources			2		no data
💼 AWS Well-Architected → 💼 REL09-BP03 Perform data backup automatically			3		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			21		no data
💼 FedRAMP High Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	3		19		no data
💼 FedRAMP High Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			5		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			19		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	14		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		20		no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			12		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			20		no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	2		5		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			5		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		14		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		20		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7		no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			7		no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			27		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			15		no data
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained			5		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			20		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			20		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			9		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6 Alternate Storage Site	3		19		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site			5		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			19		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		11		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		7		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			19		no data