Profile Applicability:
Level 1
Description:
This control ensures that Amazon Relational Database Service (RDS) instances have automated backups enabled. Automated backups allow point-in-time recovery of databases within a specified retention period, ensuring that data can be restored in case of accidental deletion, corruption, or system failure. Enabling automated backups is a key element of maintaining data availability and integrity.
Rationale:
Automated backups are critical for disaster recovery, business continuity, and compliance. They ensure that an up-to-date copy of database data is available for restoration when needed. Without backups, data loss due to misconfigurations, malicious activity, or infrastructure failure may be permanent. This control also supports compliance with security frameworks that require data protection and recovery measures, such as SOC 2, ISO 27001, and CIS.
Impact:
Positive Impact:
Enables point-in-time recovery for critical databases.
Protects against accidental or malicious data loss.
Meets compliance and audit requirements for data protection.
Negative Impact:Increases storage costs due to retention of automated backups.
May cause minor performance overhead during the backup process.
Default Value:
By default, automated backups are enabled when an RDS instance is created using the AWS Console (with a default retention period of 7 days). However, they may be disabled manually or through specific configurations, especially for custom setups.
Pre-Requisite:
IAM permissions required:
rds:DescribeDBInstances,rds:ModifyDBInstance,rds:DescribeDBSnapshots.RDS instance must not be part of a read replica-only configuration (backups are disabled for replicas).
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon RDS → Databases.
Select an RDS instance and go to the Maintenance & backups tab.
Under the Automated backups section, verify that:
Backup retention period is greater than 0 (e.g., 7 days).
Automated backups status is set to Enabled.
If backups are disabled (retention period = 0), this control is non-compliant.
Implementation Plan
Using AWS Console:
Navigate to Amazon RDS → Databases.
Select the RDS instance for which you want to enable backups.
Click Modify in the top-right corner.
Scroll to the Maintenance & backups section.
Under Backup, ensure the Enable automated backups checkbox is selected.
Set the Backup retention period to at least 7 days (recommended).
Optionally, configure:
Preferred backup window – a time period when backups can run with minimal performance impact.
Copy tags to snapshots – to include metadata in backups.
Click Continue → Modify DB Instance to apply the changes.
Backups will begin automatically according to the defined schedule.
Backout Plan:
If you need to disable automated backups temporarily (for example, in a testing environment):
Navigate to RDS → Databases → Modify Instance.
Uncheck Enable automated backups and set the Backup retention period to 0.
Note: Disabling automated backups deletes all existing backup data. Ensure that manual snapshots are taken before disabling this feature.
References: