AWS securityhub documentation change
Summary
Added new control [RDS.50] requiring minimum backup retention period for RDS DB clusters
Security assessment
The change adds documentation for a new security control related to backup retention periods, which supports recovery resilience but does not directly address an active security vulnerability. While backups are important for disaster recovery, there is no evidence this change addresses a specific security weakness or exploit.
Diff
diff --git a/securityhub/latest/userguide/rds-controls.md b/securityhub/latest/userguide/rds-controls.md index e2d17509d..ef5ef32f7 100644 --- a//securityhub/latest/userguide/rds-controls.md +++ b//securityhub/latest/userguide/rds-controls.md @@ -5 +5 @@ -[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.43] RDS DB proxies should require TLS encryption for connections[RDS.44] RDS for MariaDB DB instances should be encrypted in transit[RDS.45] Aurora MySQL DB clusters should have audit logging enabled[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots +[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.43] RDS DB proxies should require TLS encryption for connections[RDS.44] RDS for MariaDB DB instances should be encrypted in transit[RDS.45] Aurora MySQL DB clusters should have audit logging enabled[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots[RDS.50] RDS for MySQL RDS DB clusters should have enough backup retention period set @@ -1334,0 +1335,26 @@ For information about configuring an Amazon RDS for MySQL DB cluster to automati +## [RDS.50] RDS for MySQL RDS DB clusters should have enough backup retention period set + +**Category:** Recover > Resilience > Backups enabled + +**Severity:** Medium + +**Resource type:** `AWS::RDS::DBCluster` + +**AWS Config rule:** [rds-cluster-backup-retention-check](https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-backup-retention-check.html) + +**Schedule type:** Change triggered + +**Parameters:** + +Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value +---|---|---|---|--- +`minimumBackupRetentionPeriod` | The minimum backup retention period in days for the control to check | Integer | `7` to `35` | `7` + +This control checks whether an RDS DB cluster has a minimum backup retention period. The control fails if the backup retention period is less than the specified parameter value. Unless you provide a custom parameter value, Security Hub uses a default value of 7 days. + +This control checks whether an RDS DB cluster has a minimum backup retention period. The control fails if the backup retention period is less than the specified parameter value. Unless you provide a customer parameter value, Security Hub uses a default value of 7 days. This control applies to all types of RDS DB clusters including Aurora DB cluster, DocumentDB clusters, NeptuneDB clusters, etc. + +### Remediation + +To configure the backup retention period for an RDS DB cluster, modify the cluster settings and set the backup retention period to at least 7 days (or the value specified in the control parameter). For detailed instructions, see [Backup retention period](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.BackupRetention.html) in the _Amazon Relational Database Service User Guide_. For Aurora DB clusters, see [Overview of backing up and restoring an Aurora DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html) in the _Amazon Aurora User Guide for Aurora_. For other type of DB clusters (e.g. DocumentDB clusters), see the corresponding service user guide for how to update the backup retention period for the cluster. +