Ensure AWS RDS cluster Backup Retention Set


Ensures that an AWS RDS cluster has a sufficiently long backup retention set.

Aurora backs up your cluster volume automatically and retains restore data for the length of the backup retention period. No performance impact or interruption of database service occurs as backup data is being written. You can specify a backup retention period, from 1 to 35 days, when you create or modify a DB cluster.

For Amazon Aurora DB clusters, the default backup retention period is one day regardless of how the DB cluster is created. You cannot disable automated backups on Aurora. The backup retention period for Aurora is managed by the DB cluster.


In the event of a breach that modifies data, or instance loss, retained backups allow for restoring to a known good state.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster } = aws

 * @param {Object} databaseSettings - database settings object
 * @param {Object} retentionTime - minimum retention time (in days) to comply with, by default it is set to 7 days.
 * @returns {boolean} true if retention policy matches organization policy, or 7 by default
function validate(databaseSettings, parameters = { retentionTime : "7" }) {
    // check if the retention time set is equal or greater than the desired (or default) value
    const success = 
        isAwsRdsCluster(databaseSettings) &&
        databaseSettings.awsDatabaseInstance.rdsCluster.backupRetentionPeriod &&
        Number(databaseSettings.awsDatabaseInstance.rdsCluster.backupRetentionPeriod) >=

    return {

// invoke
// TODO add parameters