Detections
Analytics

Ensure AWS Redshift Snapshot Retention Policy is more than 7 days

MEDIUM

Description

Redshift can take automated data snapshots if a retention period is set. Regulations around retention period vary, however it is common to have a minimum of at least 7 days to ensure that data is available should the source become unavailable.

Remediation

For automated snapshots created in the AWS Console, a retention period is set by default and it cannot be changed. However, you can create a copy of any snapshot and set a custom retention period for the copy. To do this, follow the steps in the AWS Console section. In Terraform, the automated schedule retention period can be altered; to do this, follow the steps in the Terraform section.

In AWS Console -

  1. Sign in to the AWS Console and open the Redshift Console.
  2. On the navigation bar under Clusters choose Snapshots.
  3. Check the box next to the snapshot you wish to copy, then in the Actions drop down, select Copy automated snapshot.
  4. Set the retention period as needed.

In Terraform -

  1. In the aws_redshift_cluster resource, set 'automated_snapshot_retention_period' attribute to 35 days.

References:
https://docs.aws.amazon.com/redshift/latest/mgmt/managing-snapshots-console.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#automated_snapshot_retention_period

Policy Details

Rule Reference ID: AC_AWS_0422
CSP: AWS
Remediation Available: Yes
Domain: Compliance Validation
Resource: aws_redshift_cluster
Resource Category: Database
Resource Type: Redshift

Frameworks