🛡️ AWS RDS Snapshot is 90 days old or more🟢

• Contextual name: 🛡️ Snapshot is 90 days old or more🟢
• ID: /ce/ca/aws/rds/snapshot-old
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: COST

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Snapshot
  • 🔌 AWS RDS Snapshot - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Amazon RDS Snapshots that are 90 days old or more.

Rationale

Retaining database snapshots beyond their useful lifecycle can lead to unnecessary storage costs, particularly in environments with frequent backups. Regularly reviewing and removing outdated snapshots that are no longer required for business or compliance purposes supports both cost optimization and effective data lifecycle management.

Impact

Deleting snapshots that are still required for disaster recovery or compliance may result in data loss. Always confirm the snapshot’s purpose before removal.

Audit

This policy flags an AWS RDS Snapshot as INCOMPLIANT if its Snapshot Create Time, the timestamp marking snapshot creation, exceeds 90 days.

RDS Snapshots with a State other than available are marked as INAPPLICABLE.

Remediation

Open File

Remediation

If a snapshot is no longer required for operational use consider deleting it. If it must be retained for compliance or archival purposes, you can archive it to Amazon S3.

Delete the Snapshot

From Command Line

aws rds delete-db-snapshot \
    --db-snapshot-identifier {{db-snapshot-id}}

Archive the Snapshot to Amazon S3

Prerequisites

From Command Line

1. Before exporting DB snapshot data to Amazon S3, you must grant the snapshot export task write access to the target bucket. Create an IAM Policy that grants the required permissions:

aws iam create-policy  --policy-name {{export-policy}} --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExportPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*",
                "s3:ListBucket",
                "s3:GetObject*",
                "s3:DeleteObject*",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::{{bucket-name}}",

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Waste Reduction			25		no data