RDS instances should have backup retention periods configured


Retention periods for RDS backups should be configured according to business and regulatory needs. Backups should not be retained longer than is strictly necessary. When retention is properly configured, malicious individuals will be unable to retrieve data when it is no longer needed.

Remediation Steps

AWS Console

  • Navigate to RDS.

  • In the left navigation, select Databases.

  • Select the desired database and click Modify.

  • For Backup Retention Period, choose a positive nonzero value, for example 3 days.

  • Choose Continue.

  • Choose Apply Immediately.

  • On the confirmation page, choose Modify DB Instance to save your changes and enable automated backups.


To enable automated backups immediately:

aws rds modify-db-instance \
  --db-instance-identifier mydbinstance  \
  --backup-retention-period 3 \


Example Configuration

resource "aws_db_instance" "my_rds_db_instance" {
  backup_retention_period = 5
  # other required fields here
resource "aws_rds_cluster" "my_rds_db_cluster" {
  backup_retention_period = 3
  # other required fields here