RDS With Backup Disabled
- Query id: 8c415f6f-7b90-4a27-a44a-51047e1506f9
- Query name: RDS With Backup Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Backup
- CWE: 754
- URL: Github
Description¶
Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 0
DeletionPolicy: Snapshot
Positive test num. 2 - json file
{
"Resources": {
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [
{
"Ref": "MyDbSecurityByEC2SecurityGroup"
},
{
"Ref": "MyDbSecurityByCIDRIPGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.small",
"Engine": "oracle-ee",
"LicenseModel": "bring-your-own-license",
"MasterUsername": "master",
"MasterUserPassword": "SecretPassword01"
},
"DeletionPolicy": "Snapshot"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
DeletionPolicy: Snapshot
Negative test num. 2 - json file
{
"Resources": {
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"BackupRetentionPeriod": 7,
"DBSecurityGroups": [
{
"Ref": "MyDbSecurityByEC2SecurityGroup"
},
{
"Ref": "MyDbSecurityByCIDRIPGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.small",
"Engine": "oracle-ee",
"LicenseModel": "bring-your-own-license",
"MasterUsername": "master",
"MasterUserPassword": "SecretPassword01"
},
"DeletionPolicy": "Snapshot"
}
}
}