Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DocumentDB Sufficient Backup Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: DocumentDB-001

Ensure that your Amazon DocumentDB database clusters have set a minimum backup retention period in order to achieve compliance requirements in your organization. The retention period represents the number of days to retain automated backups (snapshots) before these are being deleted. Trend Cloud One™ – Conformity recommends a minimum (default) retention period of 7 (seven) days but you can adjust the parameter value to narrow or extend the default retention period in the conformity rule settings.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Having a minimum retention period set for your Amazon DocumentDB clusters will enforce your backup strategy to follow best practices as specified in the compliance regulations. DocumentDB cluster backups are continuous and incremental, allowing you to quickly restore to any point within the backup retention period configured (between 1 and 35 days). Retaining DocumentDB backups for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure.

Note: This guide will use 7 days (recommended) as the threshold for the sufficient backup retention period. However, you can adjust anytime the number of days (up to 35), to suit your requirements.

Audit

To determine if your Amazon DocumentDB clusters have a sufficient backup retention period configured for automated backups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database cluster that you want to examine.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Cluster details section choose Modify to access the configuration settings available for the selected cluster.

07 In the Backup section, check the retention period selected from the Backup retention period dropdown list. If the selected backup retention period is less than 7 days, the backup configuration available for the selected Amazon DocumentDB database cluster is not compliant.

08 Repeat steps no. 4 – 7 for each DocumentDB database cluster available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected AWS region: 

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names: 

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to describe the backup retention period configured for the selected database cluster: 

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].BackupRetentionPeriod'

04 The command output should return the retention period configured for the specified cluster: 

[
	3
]

If the number returned by the describe-db-clusters command output is less than 7 (seven days), the backup configuration available for the selected Amazon DocumentDB database cluster is not compliant.

05 Repeat steps no. 3 and 4 for each DocumentDB database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update your Amazon DocumentDB cluster backup configuration in order to extend the backup retention period for compliance purposes, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"DocumentDBCluster": {
			"Type": "AWS::DocDB::DBCluster",
			"Properties": {
				"DBClusterIdentifier": "cc-prod-docdb-cluster",
				"DBClusterParameterGroupName": "default.docdb3.6",
				"DBSubnetGroupName": "default",
				"MasterUsername": "[docdb-master-username]",
				"MasterUserPassword": "[docdb-master-password]",
				"Port": "27017",
				"StorageEncrypted": true,
				"PreferredBackupWindow": "07:30-08:30",
				"PreferredMaintenanceWindow": "sat:04:00-sat:05:00",
				"SnapshotIdentifier": "cc-prod-cluster-snapshot",
				"BackupRetentionPeriod": 7
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	DocumentDBCluster:
		Type: AWS::DocDB::DBCluster
		Properties:
		DBClusterIdentifier: cc-prod-docdb-cluster
		DBClusterParameterGroupName: default.docdb3.6
		DBSubnetGroupName: default
		MasterUsername: '[docdb-master-username]'
		MasterUserPassword: '[docdb-master-password]'
		Port: '27017'
		StorageEncrypted: true
		PreferredBackupWindow: '07:30-08:30'
		PreferredMaintenanceWindow: sat:04:00-sat:05:00
		SnapshotIdentifier: cc-prod-cluster-snapshot
		BackupRetentionPeriod: 7

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0" 
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_docdb_cluster" "documentdb-cluster" {
	cluster_identifier              = "cc-prod-docdb-cluster"
	engine                          = "docdb"
	db_cluster_parameter_group_name = "default.docdb3.6"
	db_subnet_group_name            = "default"
	port                            = 27017
	storage_encrypted               = true
	master_username                 = "[docdb-master-username]"
	master_password                 = "[docdb-master-password]"
	preferred_backup_window         = "07:30-08:30"
	preferred_maintenance_window    = "sat:04:00-sat:05:00"
	backup_retention_period         = 7
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database cluster that you want to reconfigure.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Cluster details section choose Modify to modify the backup configuration settings available for the selected cluster.

07 In the Backup section, select a sufficient and optimal backup retention period from the Backup retention period dropdown list, in accordance with the retention period specified in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

08 Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.

09 In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application.
  3. Choose Modify cluster to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each DocumentDB database cluster available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to extend the backup retention period (in days) for automated backups, for the selected Amazon DocumentDB database cluster. The following command request example sets the backup retention period to 7 days and makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application. If you skip adding the --apply-immediately parameter to the command request, Amazon DocumentDB will apply your changes during the next maintenance window: 

aws docdb modify-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --backup-retention-period 7
  --apply-immediately

02 The command output should return the configuration information available for the modified DocumentDB cluster: 

{
	"DBCluster": {
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			}
		],
		"Status": "available",
		"MultiAZ": false,
		"LatestRestorableTime": "2022-10-18T11:19:01.311Z",
		"PreferredBackupWindow": "00:00-00:30",
		"DBSubnetGroup": "default",
		"BackupRetentionPeriod": 7,
		"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
		"Engine": "docdb",

		...

		"EarliestRestorableTime": "2022-10-18T12:19:01.311Z",
		"ClusterCreateTime": "2022-10-13T11:11:43.111Z",
		"EngineVersion": "3.6.0",
		"DBClusterIdentifier": "cc-prod-docdb-cluster",
		"StorageEncrypted": true,
		"AssociatedRoles": [],
		"DBClusterParameterGroup": "default.docdb3.6",
		"AvailabilityZones": [
			"us-east-1b",
			"us-east-1c"
		],
		"Port": 27017
	}
}

03 Repeat steps no. 1 and 2 for each Amazon DocumentDB database cluster available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Related DocumentDB rules