Skip to content

Ensure AWS RDS Backup Retention Set

Description

Ensures that an AWS RDS instance has a sufficiently long backup retention set.

Rationale

In the event of a breach that modifies data, or instance loss, retained backups allow for restoring to a known good state, minimizing the impact of losing valuable data and avoiding delays when trying to recover such data.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type db

Default Rule

/**
 * @param {Object} databaseSettings - database settings object
 * @param {Object} retentionTime - minimum retention time (in days) to comply with, by default it is set to 7 days.
 * @returns {boolean} true if retention policy matchs organization policy, or 7 by default
 */
function validate(databaseSettings, parameters = { retentionTime : "7" }) {
    // check if the retention time set is equal or greater than the desired (or default) value
    const success =
        databaseSettings &&
        databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.backup &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.backup.retention !== undefined &&
        parseInt(databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.backup.retention, 10)>=
            parseInt(parameters.retentionTime, 10)

    return {
        success,
    }
}

// invoke
// TODO add parameters
validate(databaseSettings);