A short backup retention period can limit an organization’s ability to recover data after a security incident.

Why is this an issue?

Backups allow an organization to recover data after corruption, deletion, or a security incident. When the backup retention period is too short, no usable backup may be available at the time recovery is needed.

What is the potential impact?

Insufficient recovery window

If data is corrupted or deleted and the issue goes undetected until after the retention period expires, the organization may be unable to restore the affected data. This can result in permanent data loss, extended service outages, and failure to meet regulatory or compliance obligations.

How to fix it in Amazon RDS

Code examples

The following code is vulnerable because the backup retention period is set too short, leaving insufficient time to detect and recover from a security incident or data loss event.

Noncompliant code example

resource "aws_db_instance" "example" {
  backup_retention_period = 5 # Noncompliant
}

Compliant solution

resource "aws_db_instance" "example" {
  backup_retention_period = 30
}

How to fix it in Azure Cosmos DB

Code examples

The following code is vulnerable because the backup retention period is set too short, leaving insufficient time to detect and recover from a security incident or data loss event.

Noncompliant code example

resource "azurerm_cosmosdb_account" "example" {
  backup {
    type = "Periodic"
    retention_in_hours = 120 # Noncompliant
  }
}

Compliant solution

resource "azurerm_cosmosdb_account" "example" {
  backup {
    type = "Periodic"
    retention_in_hours = 720
  }
}

Resources

Documentation

• Amazon Relational Database Service - Backup and restore for Amazon RDS
• Azure Cosmos DB - Online backup and on-demand data restore