RDS instances should have backup retention periods configured


Retention periods for RDS backups should be configured according to business and regulatory needs. Backups should not be retained longer than is strictly necessary. When retention is properly configured, malicious individuals will be unable to retrieve data when it is no longer needed.

Console Remediation Steps

  • Navigate to RDS.

  • In the left navigation, select Databases.

  • Select the desired database and click Modify.

  • For Backup Retention Period, choose a positive nonzero value, for example 3 days.

  • Choose Continue.

  • Choose Apply Immediately.

  • On the confirmation page, choose Modify DB Instance to save your changes and enable automated backups.

CLI Remediation Steps

To enable automated backups immediately:

aws rds modify-db-instance \
  --db-instance-identifier mydbinstance  \
  --backup-retention-period 3 \