Skip to main content

RDS Instance Backup Enabled

Overview

This check verifies that your Amazon RDS database instances have automated backups turned on. When backups are enabled, AWS automatically takes daily snapshots of your database and saves transaction logs, allowing you to restore your database to any point in time within your retention period.

Risk

Without automated backups, you cannot recover your database if something goes wrong. This means:

  • Accidental data loss - If someone deletes important data by mistake, you cannot undo it
  • Malicious attacks - If an attacker corrupts your database, you have no way to restore it
  • Hardware failures - If the underlying storage fails, your data may be lost permanently
  • Extended downtime - Recovery from data loss without backups can take days or weeks, if recovery is even possible

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to modify RDS instances, or equivalent CLI/IAM permissions.

Required IAM permissions

To enable backups, you need the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:ModifyDBInstance",
        "rds:DescribeDBInstances"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

  1. Open the Amazon RDS console
  2. In the navigation pane, choose Databases
  3. Select the database instance you want to modify
  4. Choose Modify
  5. Scroll down to the Backup section
  6. Set Backup retention period to at least 1 day (7 days is recommended for most workloads)
  7. Optionally, set a Backup window - a daily time range when backups occur (choose a low-traffic period)
  8. Scroll to the bottom and choose Continue
  9. Review your changes, then select Apply immediately if you want changes now, or leave unchecked to apply during the next maintenance window
  10. Choose Modify DB instance
AWS CLI (optional)

Enable backups on an existing instance

aws rds modify-db-instance \
  --db-instance-identifier <your-db-instance-id> \
  --backup-retention-period 7 \
  --preferred-backup-window "03:00-04:00" \
  --apply-immediately \
  --region us-east-1

Replace <your-db-instance-id> with your actual RDS instance identifier.

Parameters explained:

  • --backup-retention-period 7 - Keep backups for 7 days (valid range: 1-35 days)
  • --preferred-backup-window "03:00-04:00" - Perform backups between 3:00 AM and 4:00 AM UTC
  • --apply-immediately - Apply changes now instead of waiting for maintenance window

Find instances without backups

To list all RDS instances with backup retention period of 0 (backups disabled):

aws rds describe-db-instances \
  --query "DBInstances[?BackupRetentionPeriod==\`0\`].[DBInstanceIdentifier,Engine,BackupRetentionPeriod]" \
  --output table \
  --region us-east-1
CloudFormation (optional)

CloudFormation template

This template creates an RDS instance with automated backups enabled.

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with automated backups enabled

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: Unique identifier for the RDS instance
  DBInstanceClass:
    Type: String
    Default: db.t3.micro
    Description: The compute and memory capacity of the DB instance
  Engine:
    Type: String
    Default: mysql
    AllowedValues:
      - mysql
      - postgres
      - mariadb
    Description: The database engine to use
  MasterUsername:
    Type: String
    Description: Master username for the database
  MasterUserPassword:
    Type: String
    NoEcho: true
    Description: Master password for the database
  AllocatedStorage:
    Type: Number
    Default: 20
    Description: The size of the database (GiB)
  BackupRetentionPeriod:
    Type: Number
    Default: 7
    MinValue: 1
    MaxValue: 35
    Description: Number of days to retain automated backups (1-35)
  PreferredBackupWindow:
    Type: String
    Default: '03:00-04:00'
    Description: Daily time range during which automated backups are created (UTC)

Resources:
  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBInstanceClass: !Ref DBInstanceClass
      Engine: !Ref Engine
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      AllocatedStorage: !Ref AllocatedStorage
      BackupRetentionPeriod: !Ref BackupRetentionPeriod
      PreferredBackupWindow: !Ref PreferredBackupWindow
      StorageType: gp2
      PubliclyAccessible: false
      DeletionProtection: true
    DeletionPolicy: Snapshot
    UpdateReplacePolicy: Snapshot

Outputs:
  DBInstanceEndpoint:
    Description: Connection endpoint for the RDS instance
    Value: !GetAtt RDSInstance.Endpoint.Address
  DBInstancePort:
    Description: Port for the RDS instance
    Value: !GetAtt RDSInstance.Endpoint.Port

Key configuration: The BackupRetentionPeriod property must be set to at least 1 to enable automated backups.

Terraform (optional)

Terraform configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "db_instance_identifier" {
  description = "Unique identifier for the RDS instance"
  type        = string
}

variable "db_instance_class" {
  description = "The compute and memory capacity of the DB instance"
  type        = string
  default     = "db.t3.micro"
}

variable "engine" {
  description = "The database engine to use"
  type        = string
  default     = "mysql"
}

variable "engine_version" {
  description = "The engine version to use"
  type        = string
  default     = "8.0"
}

variable "allocated_storage" {
  description = "The size of the database (GiB)"
  type        = number
  default     = 20
}

variable "db_name" {
  description = "Name of the database to create"
  type        = string
}

variable "username" {
  description = "Master username for the database"
  type        = string
}

variable "password" {
  description = "Master password for the database"
  type        = string
  sensitive   = true
}

variable "backup_retention_period" {
  description = "Number of days to retain automated backups (1-35)"
  type        = number
  default     = 7

  validation {
    condition     = var.backup_retention_period >= 1 && var.backup_retention_period <= 35
    error_message = "Backup retention period must be between 1 and 35 days."
  }
}

variable "backup_window" {
  description = "Daily time range during which automated backups are created (UTC)"
  type        = string
  default     = "03:00-04:00"
}

resource "aws_db_instance" "main" {
  identifier     = var.db_instance_identifier
  instance_class = var.db_instance_class
  engine         = var.engine
  engine_version = var.engine_version

  allocated_storage = var.allocated_storage
  storage_type      = "gp2"

  db_name  = var.db_name
  username = var.username
  password = var.password

  # Backup configuration - this is the key setting for this check
  backup_retention_period = var.backup_retention_period
  backup_window           = var.backup_window

  # Security best practices
  publicly_accessible       = false
  deletion_protection       = true
  skip_final_snapshot       = false
  final_snapshot_identifier = "${var.db_instance_identifier}-final-snapshot"

  tags = {
    Name = var.db_instance_identifier
  }
}

output "db_instance_endpoint" {
  description = "Connection endpoint for the RDS instance"
  value       = aws_db_instance.main.endpoint
}

output "db_instance_arn" {
  description = "ARN of the RDS instance"
  value       = aws_db_instance.main.arn
}

Key configuration: The backup_retention_period argument must be set to at least 1 to enable automated backups.

Verification

After making changes, verify that backups are enabled:

  1. In the RDS console, select your database instance
  2. Check the Configuration tab
  3. Look for Backup retention period - it should show a value of 1 day or more
Verify using AWS CLI
aws rds describe-db-instances \
  --db-instance-identifier <your-db-instance-id> \
  --query "DBInstances[0].[DBInstanceIdentifier,BackupRetentionPeriod,PreferredBackupWindow]" \
  --output table \
  --region us-east-1

The BackupRetentionPeriod value should be 1 or greater.

Additional Resources

Notes

  • Backup window: Choose a time when your database has low activity. Backups can cause brief I/O suspension.
  • Retention period: Longer retention periods use more storage and increase costs. Balance your recovery needs with cost.
  • Read replicas: If your RDS instance is a read replica, backups are managed by the primary instance, not the replica.
  • Aurora: Amazon Aurora handles backups differently with continuous backups to S3. This check applies to standard RDS instances.
  • Cost: Backup storage up to the size of your database is free. Additional backup storage is charged per GB-month.
  • Cross-region backups: For disaster recovery, consider enabling cross-region automated backups for critical databases.