AWS RDS Instance Without Automatic Backup Setting

This policy identifies RDS instances which are not set with the Automatic Backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set Automatic backups for your critical RDS servers that will help in the data restoration process.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
CloudFormation

Build Rules

AWS RDS instance without Automatic Backup setting.
JSON Query:
$.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.BackupRetentionPeriod any equal 0
Recommendation:
Recommended solution for having Backup settings for RDS instances.
It is recommended to have Backup setting for RDS Instances. Please make sure that "BackupRetentionPeriod" attribute value is not equal to 0.
For example:
"MyDB1": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllocatedStorage": "100", "DBInstanceClass": "db.t3.small", "BackupRetentionPeriod": 2 } }

Run Rule Recommendation

  1. Sign into the AWS console.
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.
  3. Navigate to Amazon RDS console.
  4. Choose Instances, and then select the reported DB instance.
  5. On 'Instance Actions' drop-down list, choose 'Modify'.
  6. In 'Backup' section,.
    a. From the 'Backup Retention Period' drop-down list, select the number of days you want RDS should retain automatic backups of this DB instance
    b. Choose 'Start Time' and 'Duration' in 'Backup window' which is the daily time range (in UTC) during which automated backups created
  7. Click on 'Continue'.
  8. On the confirmation page, choose 'Modify DB Instance' to save your changes.

Compliance

There is 1 standard that is applicable to this policy:
  • MITRE ATT&CK [Beta]

Recommended For You