Detection rules › Panther
AWS RDS Instance Backup
This Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect of disaster recovery that can protect sensitive data from destruction.
Rule body yaml
AnalysisType: policy
Filename: aws_rds_instance_backup.py
PolicyID: "AWS.RDS.InstanceBackup"
DisplayName: "AWS RDS Instance Backup"
Enabled: true
ResourceTypes:
- AWS.RDS.Instance
Tags:
- AWS
- Availability
Severity: Medium
Description: >
This Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect
of disaster recovery that can protect sensitive data from destruction.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-rds-instance-has-backups-enabled
Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
Tests:
- Name: RDS Instance Backup Disabled
ExpectedResult: false
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 0,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
- Name: RDS Instance Backup Enabled
ExpectedResult: true
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
Detection logic
Condition
BackupRetentionPeriod not ne "0"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
BackupRetentionPeriod | ne | 0 |