DocumentDB.2: DocumentDB adequate backup retention

What does AWS Security Hub DocumentDB.2 check?

DocumentDB.2 checks that a cluster's backup retention period meets a configured minimum. It reports FAILED when the period is below the threshold — the `minimumBackupRetentionPeriod` parameter defaults to 7 days (accepting 7 to 35), while a new cluster defaults to just 1 day.

Why does DocumentDB.2 matter?

Backup retention is the difference between a quick recovery and permanent data loss. Logical corruption, an accidental mass delete, a buggy migration, or a ransomware event often isn't noticed for days — a one-day point-in-time-recovery window gives no margin, whereas a 7-to-35-day window turns most of those incidents into a routine point-in-time restore instead of a disaster.

How do I fix DocumentDB.2?

1. Inventory every cluster's current retention period.
2. Decide the right window per system rather than blanket-setting one value — critical stores warrant longer.
3. Raise `BackupRetentionPeriod` in place with `modify-db-cluster`; the change is online with no downtime.
4. Bake the retention floor into provisioning templates so new clusters don't ship at the 1-day default.

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing