RDS instance with backup disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS instance with backup disabled

Metadata

Id: e69890e6-fce5-461d-98ad-cb98318dfc96

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Backup

Learn More

Provider Reference

Description

An RDS instance with automated backups disabled (backup_retention_period set to 0) cannot perform point-in-time recovery and is at increased risk of permanent data loss and regulatory non‑compliance.

For Ansible resources using amazon.aws.rds_instance or rds_instance, the backup_retention_period property must be defined and set to an integer greater than 0 (value is in days). Resources missing this property or with backup_retention_period: 0 are flagged. Set it to at least 1 (commonly 7 or more) based on your recovery objectives.

Secure configuration example for Ansible:

- name: Create RDS instance with automated backups
  amazon.aws.rds_instance:
    db_instance_identifier: mydb
    engine: postgres
    instance_class: db.t3.medium
    allocated_storage: 20
    backup_retention_period: 7

Compliant Code Examples

- name: create minimal aurora instance in default VPC and default subnet group
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 5
- name: create minimal aurora instance in default VPC and default subnet group2
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it

Non-Compliant Code Examples

---
- name: create minimal aurora instance in default VPC and default subnet group
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster  # This cluster must exist - see rds_cluster to manage it
    backup_retention_period: 0