Terraform Backup Retention Period Zero
Description
Detects when AWS RDS instances or clusters have automated backups disabled by setting backup_retention_period to 0. This creates a significant data protection risk since no automated backup copies are maintained, which could lead to data loss in disaster recovery scenarios.
Detection Strategy
• Check Terraform configuration files for AWS RDS resource blocks (aws_rds_cluster or aws_db_instance)
• Look for backup_retention_period attribute within these resource blocks
• Report a vulnerability if backup_retention_period is explicitly set to 0
• Resource is considered secure if backup_retention_period is set to a positive value or uses default AWS settings
Vulnerable code example
resource "aws_db_instance" "insecure_db" {
engine = "mysql"
instance_class = "db.t3.micro"
name = "mydb"
username = "admin"
password = "hardcoded_password123" # Unsafe: Credentials should not be hardcoded
}
...✅ Secure code example
resource "aws_secretsmanager_secret" "db_password" {
name = "db/password"
}
resource "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
secret_string = jsonencode({
password = var.db_password # Password provided via variables, not hardcoded...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.