WAF++ WAF++
Back to WAF++ Homepage

WAF-REL-040 – Backup & Recovery Validation

Pillar: Reliability | Severity: Critical | Category: Backup Recovery | Automatable: High

Description

All production databases MUST configure automated backups with retention >= 7 days and Point-in-Time Recovery (PITR). Backups MUST be stored in a separate account or a separate region. Recovery procedures MUST be tested and documented at least quarterly. Untested backups are considered non-existent.

Rationale

Data loss due to accidental deletion, ransomware or corruption is catastrophic without validated recovery procedures. The most common mistake is not missing backups, but an untested recovery procedure that fails in an emergency due to outdated instructions, missing keys or non-existent target infrastructure.

Threat Context

Risk Description

Ransomware

Backup in the same account as production data is encrypted simultaneously.

Accidental Deletion

Without sufficient retention, data first noticed as missing after days cannot be recovered.

Untested Restore

Recovery procedure fails in an emergency at manual steps that were never documented.

RPO Violation

Backup interval too large: data created between two backups is lost.

Requirement

  • Automated backups: retention >= 7 days for all production databases

  • PITR: enabled for all relational production databases

  • Backup storage: separate AWS account / Azure subscription / GCP project

  • Deletion protection: enabled on all production databases

  • Restore test: quarterly with result documentation (RTO, data integrity)

  • Backup alerts: notification on job failure or aged-out backup

Implementation Guidance

  1. Increase retention: backup_retention_period = 14 – minimum 7, better 14 days

  2. Enable PITR: point_in_time_recovery_enabled = true (GCP), standard for RDS/Azure

  3. Cross-account backup: AWS Backup Plan with copy_action to backup account vault

  4. Deletion protection: deletion_protection = true – prevents accidental deletion

  5. Automate restore test: Script for quarterly automated restore test

  6. Monitoring: CloudWatch Event Rule for failed backup jobs

Maturity Levels

Level Name Criteria

1

No Backups

No automated backups configured.

2

Backups Present, Untested

Automatic backups active; restore never tested; no cross-account.

3

PITR + Cross-Account + Tested

PITR enabled; backup in separate account; restore quarterly tested.

4

Automated Monthly Test

Automated restore test in pipeline; backup integrity checks.

5

WORM + CDP

Immutable backup storage; continuous data protection; schema-triggered tests.

Terraform Checks

waf-rel-040.tf.aws.rds-backup-retention

Checks: RDS has backup_retention_period >= 7 and deletion_protection = true.

Compliant Non-Compliant 
resource "aws_db_instance" "main" {
  identifier    = "payment-db-prod"
  engine        = "postgres"
  instance_class = "db.t3.medium"
  backup_retention_period = 14
  backup_window = "02:00-03:00"
  deletion_protection = true
  copy_tags_to_snapshot = true
}
 
resource "aws_db_instance" "main" {
  identifier    = "payment-db-prod"
  engine        = "postgres"
  instance_class = "db.t3.medium"
  backup_retention_period = 1
  # WAF-REL-040 Violation
  deletion_protection = false
  # WAF-REL-040 Violation
}

Remediation: Set backup_retention_period >= 7 and deletion_protection = true on aws_db_instance.

Evidence

Type Required Description

IaC

✅ Required

Terraform with backup configuration: retention, PITR, cross-account storage.

Process

✅ Required

Quarterly restore test report: RTO achieved, data integrity validated, signature.

Governance

Optional

RTO/RPO document per workload, reviewed annually.

Config

Optional

Backup monitoring alerts for job failures and aged-out backups.

Related Controls

Regulatorisches Mapping

Framework Controls

ISO/IEC 27001:2022

A.5.15 – Threat intelligence; A.5.16 – Threat classification; A.5.24 – Information security incident management; A.5.25 – Assessment and decision on information security events; A.5.26 – Response to information security incidents

ITIL 4

SVS – Service value system; DP – Design principle; OV – Operation value chain

AWS Well-Architected Framework

Reliability Pillar – Prepare; Reliability Pillar – Deploy; Reliability Pillar – Monitor

SRE Book (Google)

Chapter 4 – Service Level Objectives; Chapter 5 – Eliminating toil; Chapter 6 – Monitoring

CNCF Cloud Native Security

SLSA – Supply chain Levels for Software Artifacts; SBOM – Software Bill of Materials

BSI C5:2022

SIM-01 – Security incident management; SIM-02 – Security information and event management

GDPR

Art. 32 – Security of processing; Art. 33 – Breach notification; Art. 34 – Communication of breach

NIST SP 800-161

SR-1 – Supply chain risk management; SR-2 – Supplier agreements; SR-3 – Supply chain controls

DORA

Art. 9 – Protection and prevention; Art. 13 – ICT incident reporting; Art. 17 – Testing of ICT tools

COBIT 2019

DSS04.01.01 – Ensure service availability; DSS04.01.02 – Ensure service capacity

TISAX

Information security – Incident response

ANSSI SecNumCloud

Domain – Incident response; Domain – Business continuity

BIO

BIO – Incidentmanagement; BIO – Bedrijfscontinuïteit

ENS High

op.exp.7 – Gestión de incidentes; op.exp.8 – Gestión de la continuidad del negocio

UK NCSC CAF

D1 – Response and recovery planning; D2 – Lessons learned

CMMC 2.0

IR.L2-3.6.1 – Establish incident handling capability; IR.L2-3.6.2 – Track, document and report incidents

IRAP

ISM – Incident management; ISM – Business continuity

CCCS PBMM

IR-4 – Incident handling; IR-8 – Incident response plan

MAS TRM

Ch.10 – Security incident management; Ch.11 – Business continuity

ISMAP

Reliability and incident management

FISC

Operational measures – Incident response

Best Practice