Check provider logo

RDS instance has backup retention period greater than 0 days

rds_instance_backup_enabled

Severitymedium
Servicerds
by Prowler
resilience

RDS DB instances are evaluated for automated backups by confirming the backup retention period is greater than 0 days, indicating point-in-time recovery is configured.

Risk

Without automated backups, you lose point-in-time recovery, impacting availability and integrity.

Accidental deletes, destructive queries, or compromised accounts can cause unrecoverable data loss and prolonged outages, preventing reliable rollback during incidents.

Run this check with Prowler CLI

prowler aws --checks rds_instance_backup_enabled

Run in Prowler Cloud

Recommendation

Enable automated backups with retention > 0 aligned to RPO/RTO. Regularly test restores to validate PITR.

Apply least privilege to backup access, encrypt snapshots, and replicate critical backups to separate locations for defense in depth and resilient recovery.

Remediation

CLI

aws rds modify-db-instance --db-instance-identifier <db_instance_id> --backup-retention-period 1 --apply-immediately

Native IaC
Terraform
Other
  1. Open the AWS Management Console and go to RDS > Databases
  2. Select the target DB instance and click Modify
  3. In Backup section, set Backup retention period to 1 day (or more)
  4. Check Apply immediately
  5. Click Continue (if shown) and then Modify DB instance

Source Code

Resource Type

AwsRdsDbInstance

References