Open menu

AWS DocumentDB Sufficient Backup Retention Period

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Medium (should be achieved)

Ensure that your Amazon DocumentDB database clusters have set a minimum backup retention period in order to fulfill your organization compliance requirements. The retention period represents the number of days to retain automated backups (snapshots) before these are being deleted. Cloud Conformity recommends a minimum retention period of 7 (seven) days but you can adjust this threshold value to narrow or extend the default retention period as required, within the conformity rule settings.

Having a minimum retention period set for Amazon DocumentDB clusters will enforce your AWS account backup strategy to follow best practices and meet regulatory compliance within your organization. DocumentDB cluster backups are continuous and incremental, allowing you to quickly restore to any point within the backup retention period configured (between 1 and 35 days). Retaining AWS DocumentDB backups for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure. Note: This conformity rule will use 7 days (recommended) as the threshold for the sufficient backup retention period. However, you can adjust anytime the number of days (up to 35), to suit your organization requirements.

Audit

To determine if your Amazon DocumentDB clusters have a sufficient backup retention period (≥ 7 days) set for automated backups, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DocumentDB dashboard at https://console.aws.amazon.com/docdb/.

03 In the left navigation panel, select Clusters.

04 Choose the AWS DocumentDB cluster that you want to examine, then click on its name, available in the Cluster identifier column.

05 On the selected cluster configuration page, within Cluster details section, check the Automated backups configuration attribute value to determine the number of days set to retain automated backups (if enabled). If the number of days configured as the backup retention period (i.e. Automated backups attribute value) is less than 7 (seven) days or less than the custom threshold value configured within your Cloud Conformity account, the selected Amazon DocumentDB cluster does not have a sufficient backup retention period configured.

06 Repeat step no. 4 and 5 to verify the automated backups retention period for other Amazon DocumentDB database clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the names of all DocumentDB clusters available within the selected AWS region:

aws docdb describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested cluster names:

----------------------
| DescribeDBClusters |
+--------------------+
|  cc-docdb-prod-db  |
|  cc-docdb-test-db  |
+--------------------+ 

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB cluster that you want to examine as identifier and custom query filters to return the backup retention period configured for the selected database cluster:

aws docdb describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-docdb-prod-db
	--query 'DBClusters[*].BackupRetentionPeriod'

04 The command output should return the retention period set for the specified cluster:

[
    3
]

Check the number of days returned by the describe-db-clusters command output. If the number (integer) returned for the backup retention period is less than 7 (default threshold) or less than the custom threshold value configured within your Cloud Conformity account, the selected Amazon DocumentDB database cluster does not have a sufficient backup retention period configured.

05 Repeat step no. 3 and 4 to determine the automated backups retention period for other Amazon DocumentDB clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon DocumentDB clusters configuration in order to set up a sufficient backup retention period, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DocumentDB dashboard at https://console.aws.amazon.com/docdb/

03 In the left navigation panel, select Clusters.

04 Select the DocumentDB cluster that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Actions button from the dashboard top menu and select Modify option.

06 On the Modify cluster: <cluster-name> page, within Backup section, select a sufficient and optimal backup retention period (in number of days) from the Backup retention period dropdown list. Leave the rest of the settings unchanged then click Modify cluster to save the configuration changes. The update process should take just a few minutes. You can use again the DocumentDB cluster only when its status becomes available.

07 Repeat steps no. 4 – 6 to reconfigure the backup retention period for other Amazon DocumentDB database clusters available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to set a sufficient backup retention period (in days) for the selected Amazon DocumentDB cluster (see Audit section part II to identify the right resource). The number of days for which automated backups are retained by AWS DocumentDB should be a value between 1 and 35. The following command example sets the backup retention period to 7 days (recommended). The command request make use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. If you use instead --no-apply-immediately parameter with the command request, the DocumentDB service will apply your changes during the next maintenance window:

aws docdb modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-docdb-prod-db
	--backup-retention-period 7
	--apply-immediately

02 The command output should return the metadata for the modified DocumentDB cluster:

{
    "DBCluster": {
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-abcd1234"
            }
        ],
        "Status": "available",
        "MultiAZ": false,
        "LatestRestorableTime": "2019-01-18T11:19:01.311Z",
        "PreferredBackupWindow": "00:00-00:30",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
        "Engine": "docdb",
 
        ...
 
        "EarliestRestorableTime": "2019-01-18T12:19:01.311Z",
        "ClusterCreateTime": "2019-01-16T10:11:43.111Z",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-docdb-prod-db",
        "StorageEncrypted": true,
        "AssociatedRoles": [],
        "DBClusterParameterGroup": "default.docdb3.6",
        "AvailabilityZones": [
            "us-east-1b",
            "us-east-1c"
        ],
        "Port": 27017
    }
}

03 Repeat step no. 1 and 2 to reconfigure the backup retention period for other Amazon DocumentDB database clusters available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References