RDS instance with backup disabled

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS instance with backup disabled

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: e69890e6-fce5-461d-98ad-cb98318dfc96

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Backup

Learn More

Provider Reference

Description

An RDS instance with automated backups disabled (backup_retention_period set to 0) cannot perform point-in-time recovery and is at increased risk of permanent data loss and regulatory non‑compliance.

For Ansible resources using amazon.aws.rds_instance or rds_instance, the backup_retention_period property must be defined and set to an integer greater than 0 (value is in days). Resources missing this property or with backup_retention_period: 0 are flagged. Set it to at least 1 (commonly 7 or more) based on your recovery objectives.

Secure configuration example for Ansible:

- name: Create RDS instance with automated backups
  amazon.aws.rds_instance:
    db_instance_identifier: mydb
    engine: postgres
    instance_class: db.t3.medium
    allocated_storage: 20
    backup_retention_period: 7

Compliant Code Examples

- name: create minimal aurora instance in default VPC and default subnet group
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 5
- name: create minimal aurora instance in default VPC and default subnet group2
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it

Non-Compliant Code Examples

---
- name: create minimal aurora instance in default VPC and default subnet group
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 0