Set a retention period with modify-db-instance --backup-retention-period 7 (or higher to meet your RPO). Confirm the backup window falls in a low-traffic period. Default a sensible retention into IaC templates so new instances are recoverable from creation. Sign off any genuine zero-retention exception in writing.

Compliance Medium severity

AWS Security Hub · RDS

RDS.11: RDS instances should have automatic backups

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.11 check?

RDS.11 evaluates whether an RDS DB instance has automated backups enabled with an adequate retention period. It reports FAILED when backups are off (retention 0) or below the threshold — the Security Hub default is 7 days, configurable from 7 to 35 via the backupRetentionMinimum parameter. Read replicas are excluded, as their backups follow the source instance.

Why does RDS.11 matter?

Automated backups combine a daily snapshot with continuously archived transaction logs to give point-in-time recovery within the retention window. A retention of zero disables all of it — no daily snapshot, nothing to roll back to after a bad migration or a fat-fingered DELETE. It is rarely a deliberate choice: usually a quick-start default left unchanged, or someone disabling backups to silence a small storage cost without realising they traded a few cents of storage for the ability to ever recover.

How do I fix RDS.11?

Set a retention period with modify-db-instance --backup-retention-period 7 (or higher to meet your RPO).
Confirm the backup window falls in a low-traffic period.
Default a sensible retention into IaC templates so new instances are recoverable from creation.
Sign off any genuine zero-retention exception in writing.

Remediation script · bash

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing

Full walkthrough (console steps, edge cases and verification) in the lesson Configure backups and retention.

Is RDS.11 a false positive?

Backup storage up to the size of the database is free, so disabling backups to "save money" is a false economy — the cost of having them on is usually a rounding error, while the cost of having them off only appears as an unrecoverable data-loss event.

Full lesson Configure backups and retention Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.11 →

Part of the learning path Lock down access

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.12 IAM auth should be configured for RDS clusters
RDS.13 RDS is not receiving automatic minor security patches