A short backup retention period can limit an organization’s ability to recover data after a security incident.

Why is this an issue?

Backups allow an organization to recover data after corruption, deletion, or a security incident. When the backup retention period is too short, no usable backup may be available at the time recovery is needed.

What is the potential impact?

Insufficient recovery window

If data is corrupted or deleted and the issue goes undetected until after the retention period expires, the organization may be unable to restore the affected data. This can result in permanent data loss, extended service outages, and failure to meet regulatory or compliance obligations.

How to fix it

Code examples

The following code is vulnerable because the backup retention period is set too short, leaving insufficient time to detect and recover from a security incident or data loss event.

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  relationaldatabase:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      DBName: NonCompliantDatabase
      BackupRetentionPeriod: 5 # Noncompliant

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  relationaldatabase:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      DBName: CompliantDatabase
      BackupRetentionPeriod: 30

Resources

Documentation

• Amazon Relational Database Service - Backup and restore for Amazon RDS