Skip to content

Ensure AWS RDS cluster Backup Retention Set

Description

Ensures that an AWS RDS cluster has a sufficiently long backup retention set.

Aurora backs up your cluster volume automatically and retains restore data for the length of the backup retention period. No performance impact or interruption of database service occurs as backup data is being written. You can specify a backup retention period, from 1 to 35 days, when you create or modify a DB cluster.

For Amazon Aurora DB clusters, the default backup retention period is one day regardless of how the DB cluster is created. You cannot disable automated backups on Aurora. The backup retention period for Aurora is managed by the DB cluster.

Rationale

In the event of a breach that modifies data, or instance loss, retained backups allow for restoring to a known good state.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @param {Object} retentionTime - minimum retention time (in days) to comply with, by default it is set to 7 days.
 * @returns {boolean} true if retention policy matches organization policy, or 7 by default
 */
function validate(databaseSettings, parameters = { retentionTime : "7" }) {
    // check if the retention time set is equal or greater than the desired (or default) value
    const success = 
        isAwsRdsCluster(databaseSettings) &&
        databaseSettings.awsDatabaseInstance.rdsCluster.backupRetentionPeriod &&
        Number(databaseSettings.awsDatabaseInstance.rdsCluster.backupRetentionPeriod) >=
            Number(parameters.retentionTime)

    return {
        success,
    }
}

// invoke
// TODO add parameters
validate(databaseSettings);