# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|aws|compliancecow|-|Verify DB Retention Period|

```
Purpose: Enabling RDS backups provides a safeguard against data loss by creating automated backups of your database, ensuring business continuity in case of accidental deletion or system failure. Setting a minimum retention policy control ensures that backups are retained for a specified minimum duration, allowing for reliable recovery points and compliance with data retention requirements.
```

```
RecomendedEvidenceName: VerifyDBRetentionPeriod
```
**Description:** Retrieve the list of RDS DB instances and filter the DB instances using the status 'available'. Prompt the user to input a value for 'MinimumRequiredRetentionPeriod'. Then, validate whether the database backup is enabled. Additionally, verify if the input value meets the 'BackupRetentionPeriod' of the DB instances.

**Reference:** https://docs.aws.amazon.com/config/latest/developerguide/db-instance-backup-enabled.html

**Default Value:**
MinimumRequiredRetentionPeriod = 30 <br>
Region = [us-west-2]

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# AWS Example
 [
		{
			"AllocatedStorage": 20,
			"AssociatedRoles": null,
			"AutoMinorVersionUpgrade": true,
			"Region": "us-west-2",
			"AvailabilityZone": "us-west-2a",
			"BackupRetentionPeriod": 8,
			"CACertificateIdentifier": "rds-ca-rsa2048-g1",
			"CharacterSetName": null,
			"CopyTagsToSnapshot": true,
			"DBClusterIdentifier": null,
			"DBInstanceArn": "arn:aws:rds:us-west-2:022654265366:db:dev-db",
			"DBInstanceClass": "db.t3.micro",
			"DBInstanceIdentifier": "dev-db",
			"DBInstanceStatus": "available",
			"DBName": "devdb",
			"DBParameterGroups": [
				{
					"DBParameterGroupName": "default.postgres16",
					"ParameterApplyStatus": "in-sync"
				}
			],
			"DBSecurityGroups": null,
			"DBSubnetGroup": {
				"DBSubnetGroupArn": null,
				"DBSubnetGroupDescription": "Created from the RDS Management Console",
				"DBSubnetGroupName": "default-vpc-d123a83e7a1b",
				"SubnetGroupStatus": "Complete",
				"Subnets": [
					{
						"SubnetAvailabilityZone": {
							"Name": "us-west-2d"
						},
						"SubnetIdentifier": "subnet-400bda814ac1",
						"SubnetStatus": "Active"
					},
					{
						"SubnetAvailabilityZone": {
							"Name": "us-west-2b"
						},
						"SubnetIdentifier": "subnet-218214bc7680",
						"SubnetStatus": "Active"
					},
					{
						"SubnetAvailabilityZone": {
							"Name": "us-west-2c"
						},
						"SubnetIdentifier": "subnet-fc2e7aebcd95",
						"SubnetStatus": "Active"
					},
					{
						"SubnetAvailabilityZone": {
							"Name": "us-west-2a"
						},
						"SubnetIdentifier": "subnet-49a1003e64ff",
						"SubnetStatus": "Active"
					}
				],
				"VpcId": "vpc-24183f926a4e"
			},
			"DbInstancePort": 0,
			"DbiResourceId": "db-SVNPC5335YC53YMCXMG5TZ2O7N",
			"DeletionProtection": false,
			"DomainMemberships": null,
			"EnabledCloudwatchLogsExports": null,
			"Endpoint": {
				"Address": "dev-db.clpnruen78da.us-west-2.rds.amazonaws.com",
				"HostedZoneId": "Z1VBNI0B657C1W",
				"Port": 5432
			},
			"Engine": "postgres",
			"EngineVersion": "16.1",
			"EnhancedMonitoringResourceArn": null,
			"IAMDatabaseAuthenticationEnabled": false,
			"InstanceCreateTime": "2024-02-29T05:56:06.418Z",
			"Iops": null,
			"KmsKeyId": "arn:aws:kms:us-west-2:022654265366:key/3f5007ba-bc26-4c70-bb05-66ae4d2b73e0",
			"LatestRestorableTime": "2024-02-29T07:19:30Z",
			"LicenseModel": "postgresql-license",
			"ListenerEndpoint": null,
			"MasterUsername": "postgres",
			"MaxAllocatedStorage": 1000,
			"MonitoringInterval": 0,
			"MonitoringRoleArn": null,
			"MultiAZ": false,
			"OptionGroupMemberships": [
				{
					"OptionGroupName": "default:postgres-16",
					"Status": "in-sync"
				}
			],
			"PendingModifiedValues": {
				"AllocatedStorage": null,
				"BackupRetentionPeriod": null,
				"CACertificateIdentifier": null,
				"DBInstanceClass": null,
				"DBInstanceIdentifier": null,
				"DBSubnetGroupName": null,
				"EngineVersion": null,
				"Iops": null,
				"LicenseModel": null,
				"MasterUserPassword": null,
				"MultiAZ": null,
				"PendingCloudwatchLogsExports": null,
				"Port": null,
				"ProcessorFeatures": null,
				"StorageType": null
			},
			"PerformanceInsightsEnabled": false,
			"PerformanceInsightsKMSKeyId": null,
			"PerformanceInsightsRetentionPeriod": null,
			"PreferredBackupWindow": "09:24-09:54",
			"PreferredMaintenanceWindow": "fri:07:11-fri:07:41",
			"ProcessorFeatures": null,
			"PromotionTier": null,
			"PubliclyAccessible": false,
			"ReadReplicaDBClusterIdentifiers": null,
			"ReadReplicaDBInstanceIdentifiers": null,
			"ReadReplicaSourceDBInstanceIdentifier": null,
			"SecondaryAvailabilityZone": null,
			"StatusInfos": null,
			"StorageEncrypted": true,
			"StorageType": "gp2",
			"TdeCredentialArn": null,
			"Timezone": null,
			"VpcSecurityGroups": [
				{
					"Status": "active",
					"VpcSecurityGroupId": "sg-303e4d9829a5"
				}
			]
		}
]

# Step 3: Define the Standard Schema

In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:rds:us-west-2:022654265366:db:dev-db", # From Data 'DBInstanceArnn'
    "ResourceName":"dev-db", # From Data 'DBInstanceArnn'
    "ResourceType":"AWS::RDS::DBInstance",
    "ResourceLocation":"us-west-2", # From Data 'Region'
    "ResourceTags": null,
    "ResourceURL": "https://us-west-2.console.aws.amazon.com/rds/home?region=us-west-2#database:id=dev-db"

    # Data
    "MinimumRequiredRetentionPeriod": 7,
    "ActualRetentionPeriod" : 8,
    "IsBackupEnabled" : true,
    "MeetsMinimumRetentionRequirement" : true,

    # Compliance details
    "ValidationStatusCode" :"BK_EN_MN_RT_PS" ,
    "ValidationStatusNotes":"The DB backup feature is enabled and meets the expected retention period",
    "ComplianceStatus":"COMPLIANT	",
		"ComplianceStatusReason":"The RDS backups meet the minimum retention period requirements, ensuring compliance, data integrity, and support for long-term analysis.",
		"EvaluatedTime":"2024-02-29T05:56:06.418Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ResourceURL|MinimumRequiredRetentionPeriod|ActualRetentionPeriod|IsBackupEnabled|MeetsMinimumRetentionRequirement|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|arn:aws:rds:us-west-2:022654265366:db:dev-db|dev-db|AWS::RDS::DBInstance|us-west-2|null|https://us-west-2.console.aws.amazon.com/rds/home?region=us-west-2#database:id=dev-db|7|8|true|true|BK_EN_MN_RT_PS|The DB backup feature is enabled and meets the expected retention period|COMPLIANT|The RDS backups meet the minimum retention period requirements, ensuring compliance, data integrity, and support for long-term analysis.|2024-02-29T05:56:06.418Z|
|aws|compliancecow|arn:aws:rds:us-west-2:022654265366:db:test-db|test-db|AWS::RDS::DBInstance|us-west-2|null|https://us-west-2.console.aws.amazon.com/rds/home?region=us-west-2#database:id=test-db|7|5|true|false|BK_EN_MN_RT_NP|Backup is enabled but does not meet the expected retention period|NON_COMPLIANT|The record is non-compliant because RDS backup does not meet the expected retention period. RDS backups must meet minimum retention periods to preserve data integrity, comply with regulations, and enable long-term analysis.|2024-02-29T05:57:06.418Z|
|aws|compliancecow|arn:aws:rds:us-west-2:022654265366:db:prod-db|prod-db|AWS::RDS::DBInstance|us-west-2|null|https://us-west-2.console.aws.amazon.com/rds/home?region=us-west-2#database:id=prod-db|7||false|false|BK_DS|Backup is disabled|NON_COMPLIANT|The record is non-compliant because the DB backup feature is disabled. Taking RDS backups is advisable to protect data against loss, enable point-in-time recovery, and ensure compliance with industry regulations.|2024-02-29T05:58:06.418Z|

# Step 4: Describe the Compliance Taxonomy

|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|
|BK_EN_MN_RT_P|The DB backup feature is enabled and meets the expected retention period|COMPLIANT|The RDS backups meet the minimum retention period requirements, ensuring compliance, data integrity, and support for long-term analysis.|
|BK_EN_MN_RT_NP|Backup is enabled but does not meet the expected retention period|NON_COMPLIANT|The record is non-compliant because RDS backup does not meet the expected retention period. RDS backups must meet minimum retention periods to preserve data integrity, comply with regulations, and enable long-term analysis.|
|BK_DS|Backup is disabled|NON_COMPLIANT|The record is non-compliant because the DB backup feature is disabled. Taking RDS backups is advisable to protect data against loss, enable point-in-time recovery, and ensure compliance with industry regulations.|

# Step 5: Calculation for Compliance Percentage and Status

In [None]:
# Calculation of Compliance Percentage

TotalCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
CompliantCount = Count of 'COMPLIANT' records

CompliancePCT = (CompliantCount / TotalCount) * 100

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%
NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

In [None]:
DB instance backup is not enabled
We've identified that the backup feature for the RDS instance << RDSinstance >> does not meet the compliance criteria.
Ensuring proper backup and retention settings for RDS instances is critical for data protection, disaster recovery preparedness, and regulatory compliance.
Please review the link and follow the below steps: https://console.aws.amazon.com/rds/home?region=<<region>>#database:id=<<dbinstance>>.
To enable RDS backups and set the retention criteria, follow these steps:
Access the AWS Management Console
-> Navigate to the RDS dashboard
-> Locate the target RDS instance: cc-dev-db
-> In the 'Backup' tab, click 'Modify' to adjust the retention period
-> Set the retention period to meet or exceed the minimum requirement 30
-> Save the changes to update the retention settings.

# 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | VerifyDBRetentionPeriod       |
| **PreRequisiteRuleNames**  | -                             |
| **ExtendedSchemaRuleNames**| -                             |
| **ApplicationClassName**   | AWSAppConnector               |
| **PostSynthesizerName**    |                               |