Logo of Trend Micro

RDS Sufficient Backup Retention Period

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: RDS-003

Ensure that your RDS database instances have set a minimum backup retention period in order to achieve the compliance requirements. Cloud Conformity recommends a minimum (default) retention period of 7 (seven) days but you can adjust the minimumRetentionPeriod parameter value to narrow or extend the default retention period (AWS RDS allows a maximum retention period of thirty five days).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Having a minimum retention period set for RDS database instances will enforce your backup strategy to follow the best practices as specified in the compliance regulations. Retaining point-in-time RDS snapshots for a longer period of time will allow you to handle more efficiently your data restoration process in the event of failure.

Note: This guide will use 7 days (recommended) as the threshold for the minimum backup retention period. However, you can adjust anytime the number of days to suit your requirements.

Audit

To determine if your RDS instances have the sufficient backup retention period (≥ 7 days) set for automated backups, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 Under Availability and Durability section, search for the Automated Backups status:

Under Availability and Durability section, search for the Automated Backups status

If the backup retention period currently set is less than 7 (seven) days, the RDS instance backup configuration does not comply with the recommended regulations.

07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region: 

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier: 

[
    "mysql-prod-database"
]

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier returned earlier, to determine the retention period for the instance automated backups (e.g. the number of days for which RDS instance snapshots are retained): 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier mysql-prod-database
	--query 'DBInstances[*].BackupRetentionPeriod'

04 The command output should return the retention period for the selected RDS instance (one day in this example): 

[
    1
]

If the backup retention period set is less than 7 (seven) days, the backup configuration for the selected RDS database instance does not comply with the recommended regulations.

05 Repeat steps no. 1 – 4 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS instances automated backups configuration and extend the retention period, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance identifier> page, under Backup section, select a number between 7 and 35 from the Backup Retention Period dropdown list.

07 At the bottom of the page, check Apply Immediately to apply the changes immediately.
(!) IMPORTANT: when you change the retention period from 0 to a non-zero value an immediate outage will occur. If the selected database instance is used in production consider leaving Apply Immediately option disabled in order to avoid any RDS downtime. If Apply Immediately is not selected, the feature will be enabled during the next maintenance window.

08 Click Continue.

09 Review the changes and click Modify DB Instance. Once the configuration changes are applied, the Automated Backups retention period should change to the specified value:

Modify DB Instance. Once the configuration changes are applied, the Automated Backups retention period should change to the specified value

10 Repeat steps no. 4 – 9 for each RDS instance available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region: 

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier: 

[
    "mysql-prod-database"
]

03 Run modify-db-instance command (OSX/Linux/UNIX) to modify the selected RDS instance configuration. The following command example extend the number of days for which RDS instance snapshots are retained by setting the backup retention period to 7 (seven) for an RDS instance named mysql-prod-database.
(!) IMPORTANT: this example is using the –apply-immediatelyoption to apply the change as soon as possible which will trigger an immediate outage if the previous retention period value set was 0 (zero). To apply the change during the instance maintenance window, avoid adding the –apply-immediately command parameter: 

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier mysql-prod-database
	--backup-retention-period 7
	--apply-immediately

04 The command output should reveal the new configuration metadata for the RDS instance: 

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "webappdb",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ... 
        "PendingModifiedValues": {
            "BackupRetentionPeriod": 7
        },
  	   ...
        "DbiResourceId": "db-LVM75IJA2YOGQ3FJUNRK7KFFII",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.t2.micro",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "mysql-prod-database"
    }
}

05 Run describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier to determine if the new value for the backup retention period has been successfully applied: 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier mysql-prod-database
	--query 'DBInstances[*].BackupRetentionPeriod'

06 The command output should return the new retention period value (7 days in this case) for the selected RDS instance: 

[
    7
]

07 Repeat steps no. 1 – 6 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date May 4, 2016

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

RDS Sufficient Backup Retention Period

Risk level: Medium