Check if DocumentDB Clusters Have Backup Enabled
Overview
This check verifies that your Amazon DocumentDB clusters have automated backups configured with an adequate retention period (at least 7 days). Automated backups allow you to restore your database to any point in time within the retention window.
Risk
Without adequate backups, your DocumentDB clusters cannot be reliably restored after data loss events. Accidental deletions, data corruption, or ransomware attacks could cause irreversible data loss once the retention window expires, resulting in extended outages and compromised recovery capabilities.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify DocumentDB clusters, OR
- AWS CLI installed and configured with appropriate credentials
AWS Console Method
- Open the Amazon DocumentDB console
- In the navigation pane, choose Clusters
- Select the cluster you want to modify
- Choose Modify
- Under Backup, set Backup retention period to at least 7 days
- Optionally, configure a Backup window that fits your workload (e.g., during low-traffic hours)
- Choose Apply immediately if you want changes to take effect right away
- Choose Modify cluster to save your changes
AWS CLI Method
Use the following command to enable or update backup retention for an existing DocumentDB cluster:
aws docdb modify-db-cluster \
--db-cluster-identifier <your-cluster-identifier> \
--backup-retention-period 7 \
--apply-immediately \
--region us-east-1
Replace <your-cluster-identifier> with your actual cluster identifier.
Parameters:
--backup-retention-period: Number of days to retain backups (1-35). Set to at least 7 for compliance.--apply-immediately: Apply changes immediately instead of waiting for the next maintenance window.
Optional - Set a preferred backup window:
aws docdb modify-db-cluster \
--db-cluster-identifier <your-cluster-identifier> \
--backup-retention-period 7 \
--preferred-backup-window "07:00-09:00" \
--apply-immediately \
--region us-east-1
The backup window format is hh24:mi-hh24:mi in UTC.
CloudFormation
Use the following CloudFormation template to create a DocumentDB cluster with backup retention enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: DocumentDB Cluster with backup retention enabled
Parameters:
ClusterIdentifier:
Type: String
Description: The identifier for the DocumentDB cluster
Default: my-docdb-cluster
MasterUsername:
Type: String
Description: Master username for the cluster
Default: docdbadmin
NoEcho: true
MasterUserPassword:
Type: String
Description: Master password for the cluster
NoEcho: true
MinLength: 8
BackupRetentionPeriod:
Type: Number
Description: Number of days to retain automated backups
Default: 7
MinValue: 1
MaxValue: 35
Resources:
DocumentDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBClusterIdentifier: !Ref ClusterIdentifier
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
BackupRetentionPeriod: !Ref BackupRetentionPeriod
PreferredBackupWindow: "07:00-09:00"
StorageEncrypted: true
DeletionProtection: false
Outputs:
ClusterEndpoint:
Description: The endpoint for the DocumentDB cluster
Value: !GetAtt DocumentDBCluster.Endpoint
ClusterPort:
Description: The port for the DocumentDB cluster
Value: !GetAtt DocumentDBCluster.Port
To deploy:
aws cloudformation create-stack \
--stack-name docdb-backup-enabled \
--template-body file://template.yaml \
--parameters ParameterKey=MasterUserPassword,ParameterValue=<your-secure-password> \
--region us-east-1
Terraform
Use the following Terraform configuration to create a DocumentDB cluster with backup retention enabled:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_docdb_cluster" "example" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "docdbadmin"
master_password = var.master_password
backup_retention_period = 7
preferred_backup_window = "07:00-09:00"
storage_encrypted = true
skip_final_snapshot = false
final_snapshot_identifier = "my-docdb-final-snapshot"
}
variable "master_password" {
type = string
sensitive = true
description = "Master password for the DocumentDB cluster"
}
To apply:
terraform init
terraform apply -var="master_password=<your-secure-password>"
To update an existing cluster, import it first and then modify the backup_retention_period value.
Verification
After making changes, verify that backup retention is properly configured:
- In the DocumentDB console, select your cluster
- Check the Configuration tab
- Confirm that Backup retention period shows at least 7 days
CLI Verification
aws docdb describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].BackupRetentionPeriod' \
--region us-east-1
The output should show a value of 7 or higher.
To list all clusters and their backup retention settings:
aws docdb describe-db-clusters \
--query 'DBClusters[*].[DBClusterIdentifier,BackupRetentionPeriod]' \
--output table \
--region us-east-1
Additional Resources
- Backing Up and Restoring in Amazon DocumentDB
- Amazon DocumentDB Best Practices
- Modifying an Amazon DocumentDB Cluster
- AWS::DocDB::DBCluster CloudFormation Reference
Notes
- Backup retention period: Valid values are 1-35 days. A minimum of 7 days is recommended for compliance with most security frameworks.
- Backup window: Choose a time with low database activity to minimize performance impact. The window must be at least 30 minutes.
- Point-in-time recovery: With backups enabled, you can restore your cluster to any second within the retention period (up to the last 5 minutes).
- Cost consideration: Backup storage is charged based on the amount of data retained. Plan your retention period based on both compliance needs and cost.
- Testing restores: Regularly test your backup restoration process as part of your disaster recovery plan.