RDS cluster without backup plan

rds_cluster_no_backup_plan

Severity

low

Vendor

AWS

Resource

RDS

Description

A sound backup & restore strategy is essential for the availability of database systems. AWS provides a managed AWS Backup as a centralized solution to orchestrate database backup operations.

This detector ensures that every RDB cluster is the target of a backup plan, reporting a flaw on each RDB cluster (aws_rdb_cluster resource) that it is not connected to a backup plan (aws_backup_plan resource, via aws_backup_selection).

For further information, read Using AWS Backup to protect Amazon Aurora databases.

Examples

resource "aws_rds_cluster" "rds_cluster" { (1)
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-mysql"
  // ...
}

1	RDS cluster without backup plan.

Mitigation / Fix

Buildtime

Terraform

resource "aws_rds_cluster" "rds_cluster" {
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-mysql"
  // ...
}


resource "aws_backup_plan" "backup_plan" {
  name = "tf_example_backup_plan"

  rule {
    rule_name         = "tf_example_backup_rule"
    target_vault_name = "vault-name"
    schedule          = "cron(0 12 * * ? *)"
  }
}

resource "aws_backup_selection" "backup_selection" {
  iam_role_arn = "arn:partition:service:region:account-id:resource-id"
  name         = "tf_example_backup_selection"
  plan_id      = aws_backup_plan.backup_plan.id (1)

  resources = [
    aws_rds_cluster.rds_cluster.arn (2)
  ]
}

1	the backup plan
2	the resources under the backup plan (includes the RDS cluster)