More Info:

This rule checks if a backup plan has a backup rule that satisfies the retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period.

Risk Level

High

Address

Configuration

Compliance Standards

CBP,RBI_MD_ITF,RBI_UCB

Remediation

Using Console

To remediate the misconfiguration of not having a retention period set for the backup plan in AWS EC2 using the AWS console, follow these steps:

  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login using your credentials.

  2. Navigate to AWS Backup Service: In the AWS Management Console, search for “Backup” in the services search bar and click on “Backup” under the “Storage” category.

  3. Select Backup Plans: In the AWS Backup console, click on “Backup plans” in the left-hand navigation pane.

  4. Edit Backup Plan: Find the backup plan that needs to have a retention period set and click on the plan name to select it.

  5. Add Retention Period: In the details of the backup plan, locate the section where you can set the retention period. Click on the “Edit” button next to the retention settings.

  6. Set Retention Period: Enter the desired retention period in days for the backups to be retained. This can vary depending on your organization’s retention policies.

  7. Save Changes: After setting the retention period, click on the “Save” or “Update” button to save the changes to the backup plan.

  8. Verify Configuration: Double-check the backup plan details to ensure that the retention period has been successfully set.

By following these steps, you have successfully remediated the misconfiguration of not having a retention period set for the backup plan in AWS EC2 using the AWS console.

Using CLI

To remediate the misconfiguration of not having a retention period set for the backup plan in AWS EC2 using AWS CLI, follow these steps:

  1. List Backup Plans: First, list all the existing backup plans to identify the one that needs to be updated. You can use the following AWS CLI command:

    aws backup list-backup-plans

  2. Update Backup Plan: Once you have identified the backup plan that needs to be updated, you can use the following AWS CLI command to update the backup plan with a retention period:

    aws backup update-backup-plan --backup-plan-id <backup-plan-id> --lifecycle ResourceType=EC2,DeleteAfterDays=<retention-period>

    Replace <backup-plan-id> with the ID of the backup plan that needs to be updated and <retention-period> with the number of days you want to retain the backups.

  3. Verify: Finally, verify that the retention period has been set successfully by listing the details of the updated backup plan using the following AWS CLI command:

    aws backup get-backup-plan --backup-plan-id <backup-plan-id>

    This command will display the details of the backup plan, including the retention period for EC2 resources.

By following these steps, you can remediate the misconfiguration of not having a retention period set for the backup plan in AWS EC2 using AWS CLI.

Using Python

To remediate the misconfiguration of not having a retention period set for the backup plan in AWS EC2 using Python, you can follow these steps:

  1. Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:

    pip install boto3

  2. Write a Python script to update the backup plan with the desired retention period. Here is an example script to set a retention period of 30 days for a backup plan in AWS EC2:

import boto3

# Initialize the EC2 client
client = boto3.client('backup')

# Specify the Backup Plan Id for which you want to update the retention period
backup_plan_id = 'your_backup_plan_id_here'

# Specify the desired retention period in days
retention_period = 30

# Update the backup plan with the new retention period
response = client.update_backup_plan(
    BackupPlanId=backup_plan_id,
    BackupPlan={
        'BackupPlanName': 'YourBackupPlanName',
        'Rules': [
            {
                'RuleName': 'DefaultBackupRule',
                'TargetBackupVaultName': 'Default',
                'ScheduleExpression': 'cron(0 0 * * ? *)',
                'StartWindowMinutes': 60,
                'CompletionWindowMinutes': 60,
                'Lifecycle': {
                    'DeleteAfterDays': retention_period
                }
            }
        ]
    }
)

# Print the response
print(response)

  1. Replace 'your_backup_plan_id_here' with the actual Backup Plan Id that you want to update.

  2. Replace 'YourBackupPlanName' with the name of your backup plan.

  3. Run the Python script to update the backup plan with the specified retention period.

After running this script, the backup plan in AWS EC2 will be updated with the specified retention period, ensuring that backups are retained for the desired duration.