RDS.26: RDS instances should be in a backup plan

What does AWS Security Hub RDS.26 check?

RDS.26 checks whether each standalone RDS DB instance is assigned to an AWS Backup plan. It runs on a periodic schedule and reports FAILED for any instance that no backup plan protects. It excludes Neptune and DocumentDB instances and RDS instances that are members of a cluster.

Why does RDS.26 matter?

This is not the same as RDS.11. An instance can pass RDS.11 with a healthy seven-day automated-backup window and still fail RDS.26, because RDS's own automated backups are managed per-instance and tied to that instance's lifecycle — delete the instance and, after the final snapshot window, they are gone. AWS Backup is a separate, centralised policy layer that survives the resource and gives one place to define frequency, retention, cross-Region/cross-account copies, and Vault Lock immutability. Resilience you cannot see centrally is resilience you cannot trust.

How do I fix RDS.26?

1. Create or reuse an AWS Backup plan with a suitable frequency and retention.
2. Assign the RDS instance to the plan via a resource assignment (by tag or by ARN).
3. Confirm a backup job runs successfully against the instance.
4. Use tag-based assignment so new instances are protected automatically.

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing