Json Yaml Backup Retention Period Zero

Description

Identifies AWS RDS database resources (instances and clusters) that have automated backups disabled. When automated backups are not enabled, there is a risk of data loss since no automatic point-in-time recovery is available in case of failures or incidents.

Weakness:

256 - Lack of protection against deletion - RDS

Category: Functionality Abuse

Detection Strategy

• Scans CloudFormation template files for RDS resource definitions (AWS::RDS::DBCluster or AWS::RDS::DBInstance)

• Checks if the BackupRetentionPeriod property is set to 0 or is missing

• Reports a vulnerability if an RDS resource is found without automated backups enabled

Vulnerable code example

Resources:
  MyDBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      DatabaseName: mydb
      BackupRetentionPeriod: 0  # Vulnerable: Backups disabled, no disaster recovery
      Engine: aurora
      StorageEncrypted: false   # Vulnerable: Unencrypted storage...

✅ Secure code example

Resources:
  MyDBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      DatabaseName: mydb
      BackupRetentionPeriod: 7    # Enabled 7-day backup retention for disaster recovery
      Engine: aurora
      StorageEncrypted: true      # Enabled encryption at rest for data protection...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.