--- title: RDS with backup disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS with backup disabled --- # RDS with backup disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `1dc73fb4-5b51-430c-8c5f-25dcf9090b02` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Backup #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) ### Description{% #description %} This check ensures that Amazon RDS instances have automatic backups enabled by setting the `backup_retention_period` to a value greater than zero. When `backup_retention_period` is set to `0`, no automated backups are created for the database instance, leaving data unprotected against accidental deletion, corruption, or operational incidents. Without automated backups, it is impossible to restore the database to a previous point in time, significantly increasing the risk of permanent data loss. Enabling and properly configuring the backup retention period helps ensure data durability and business continuity for critical database workloads. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 auto_minor_version_upgrade = true backup_retention_period = 12 name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ``` ```terraform //some comments (used just for resource offset) resource "aws_db_instance" "negative1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" backup_retention_period = 12 } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 auto_minor_version_upgrade = true backup_retention_period = 0 name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ``` ```terraform resource "aws_db_instance" "positive1" { allocated_storage = 20 storage_type = "gp2" engine = "mysql" engine_version = "5.7" instance_class = "db.t2.micro" name = "mydb" username = "foo" password = "foobarbaz" } ``` ```terraform module "db" { source = "terraform-aws-modules/rds/aws" version = "~> 3.0" identifier = "demodb" engine = "mysql" engine_version = "5.7.19" instance_class = "db.t2.large" allocated_storage = 5 auto_minor_version_upgrade = true name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" iam_database_authentication_enabled = true vpc_security_group_ids = ["sg-12345678"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically monitoring_interval = "30" monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { Owner = "user" Environment = "dev" } # DB subnet group subnet_ids = ["subnet-12345678", "subnet-87654321"] # DB parameter group family = "mysql5.7" # DB option group major_engine_version = "5.7" # Database Deletion Protection deletion_protection = true parameters = [ { name = "character_set_client" value = "utf8mb4" }, { name = "character_set_server" value = "utf8mb4" } ] options = [ { option_name = "MARIADB_AUDIT_PLUGIN" option_settings = [ { name = "SERVER_AUDIT_EVENTS" value = "CONNECT" }, { name = "SERVER_AUDIT_FILE_ROTATIONS" value = "37" }, ] }, ] } ```