🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 2 Amazon DocumentDB clusters should have an adequate backup retention period

Description

This control checks whether an Amazon DocumentDB cluster has a backup retention period greater than or equal to 7 days. The control fails if the backup retention period is less than 7 days.

Backups help you recover more quickly from a security incident and strengthen the resilience of your systems. By automating backups for your Amazon DocumentDB clusters, you'll be able to restore your systems to a point in time and minimize downtime and data loss. Amazon DocumentDB clusters have a default backup retention period of 1 day, which should be increased to 7 days to pass this control.

Remediation

To change the backup retention period for your Amazon DocumentDB clusters, see Modifying an Amazon DocumentDB Cluster in the Amazon DocumentDB Developer Guide. For Backup, choose a value greater than or equal to 7.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_docdb_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_docdb_2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when backup_retention_period >= 7 then 'ok'
    else 'alarm'
  end as status,
  title || ' backup retention period is ' || backup_retention_period || ' day(s).' as reason
  
  , region, account_id
from
  aws_docdb_cluster;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = backups_enabled
foundational_security_item_id = docdb_2
plugin = aws
service = AWS/DocumentDB