For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-rds-with-backup-disabled.md. A documentation index is available at /llms.txt.

RDS instance with backup disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-rds-with-backup-disabled

Provider: AWS

Platform: Ansible

Severity: Medium

Category: Backup

Learn More

Description

An RDS instance with automated backups disabled (backup_retention_period set to 0) cannot perform point-in-time recovery and is at increased risk of permanent data loss and regulatory non‑compliance.

For Ansible resources using amazon.aws.rds_instance or rds_instance, the backup_retention_period property must be defined and set to an integer greater than 0 (value is in days). Resources missing this property or with backup_retention_period: 0 are flagged. Set it to at least 1 (commonly 7 or more) based on your recovery objectives.

Secure configuration example for Ansible:

- name: Create RDS instance with automated backups
  amazon.aws.rds_instance:
    db_instance_identifier: mydb
    engine: postgres
    instance_class: db.t3.medium
    allocated_storage: 20
    backup_retention_period: 7

Compliant Code Examples

- name: create minimal aurora instance in default VPC and default subnet group
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 5
- name: create minimal aurora instance in default VPC and default subnet group2
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it

Non-Compliant Code Examples

---
- name: create minimal aurora instance in default VPC and default subnet group
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 0