AWS RDS cluster uses insufficient retention period
Description:
Amazon RDS allows you to automate backups of your DB instance, which include the entire DB instance and transaction logs. The retention period specifies the number of days that Amazon RDS will retain automatic backups of your DB instance. Having an insufficient retention period might lead to data loss in case of a disaster, as older backups are automatically deleted after the retention period. A recommended best practice is to set an adequate retention period, taking into account business continuity requirements and regulatory mandates.
Remediation:
1. Modify Retention Period for Existing RDS Clusters:
AWS Management Console:
- Navigate to the RDS dashboard.
- Select the RDS cluster or instance you want to modify.
- Click on "Modify".
- In the "Backup" section, adjust the "Backup Retention Period" to your desired number of days (based on your backup and data retention requirements).
- Scroll down and click on "Continue", then "Modify DB Instance" or "Modify DB Cluster".
AWS CLI:
aws rds modify-db-cluster --db-cluster-identifier YourClusterName --backup-retention-period DesiredNumberOfDays
or for instances:
aws rds modify-db-instance --db-instance-identifier YourInstanceName --backup-retention-period DesiredNumberOfDays
2. Set Retention Period for New RDS Clusters:
AWS Management Console:
- Navigate to the RDS dashboard.
- Click on "Create database".
- In the creation wizard, under the "Backup" section, set the "Backup Retention Period" to your desired number of days.
- Continue with other database settings and click "Create".
AWS CLI:
aws rds create-db-cluster --db-cluster-identifier YourClusterName --backup-retention-period DesiredNumberOfDays --other-required-parameters
or for instances:
aws rds create-db-instance --db-instance-identifier YourInstanceName --backup-retention-period DesiredNumberOfDays --other-required-parameters
3. Monitor and Audit:
AWS Management Console:
- Navigate to AWS Config.
- Create a new rule to check for RDS clusters or instances that have an insufficient backup retention period.
- Use AWS CloudTrail to monitor and log any changes to the backup retention period setting.
AWS CLI:
For monitoring, AWS Config SDK or Boto3 in Python would be preferable instead of direct AWS CLI commands.
4. Document and Train:
Ensure that internal guidelines and policies specify a minimum backup retention period based on business and regulatory requirements. Educate your technical and database teams on the importance of maintaining adequate retention periods for data backup.
By configuring an appropriate retention period, you can ensure data durability and recovery capability, minimizing potential business impacts in the event of data loss or corruption.
Updated about 1 year ago