WAF++ WAF++
Back to WAF++ Homepage

WAF-REL-040 – Backup & Recovery Validation

Pillar: Reliability | Severity: Critical | Category: Backup Recovery | Automatable: High

Description

All production databases MUST configure automated backups with retention >= 7 days and Point-in-Time Recovery (PITR). Backups MUST be stored in a separate account or a separate region. Recovery procedures MUST be tested and documented at least quarterly. Untested backups are considered non-existent.

Rationale

Data loss due to accidental deletion, ransomware or corruption is catastrophic without validated recovery procedures. The most common mistake is not missing backups, but an untested recovery procedure that fails in an emergency due to outdated instructions, missing keys or non-existent target infrastructure.

Threat Context

Risk Description

Ransomware

Backup in the same account as production data is encrypted simultaneously.

Accidental Deletion

Without sufficient retention, data first noticed as missing after days cannot be recovered.

Untested Restore

Recovery procedure fails in an emergency at manual steps that were never documented.

RPO Violation

Backup interval too large: data created between two backups is lost.

Requirement

  • Automated backups: retention >= 7 days for all production databases

  • PITR: enabled for all relational production databases

  • Backup storage: separate AWS account / Azure subscription / GCP project

  • Deletion protection: enabled on all production databases

  • Restore test: quarterly with result documentation (RTO, data integrity)

  • Backup alerts: notification on job failure or aged-out backup

Implementation Guidance

  1. Increase retention: backup_retention_period = 14 – minimum 7, better 14 days

  2. Enable PITR: point_in_time_recovery_enabled = true (GCP), standard for RDS/Azure

  3. Cross-account backup: AWS Backup Plan with copy_action to backup account vault

  4. Deletion protection: deletion_protection = true – prevents accidental deletion

  5. Automate restore test: Script for quarterly automated restore test

  6. Monitoring: CloudWatch Event Rule for failed backup jobs

Maturity Levels

Level Name Criteria

1

No Backups

No automated backups configured.

2

Backups Present, Untested

Automatic backups active; restore never tested; no cross-account.

3

PITR + Cross-Account + Tested

PITR enabled; backup in separate account; restore quarterly tested.

4

Automated Monthly Test

Automated restore test in pipeline; backup integrity checks.

5

WORM + CDP

Immutable backup storage; continuous data protection; schema-triggered tests.

Terraform Checks

waf-rel-040.tf.aws.rds-backup-retention

Checks: RDS has backup_retention_period >= 7 and deletion_protection = true.

Compliant Non-Compliant 
resource "aws_db_instance" "main" {
  identifier    = "payment-db-prod"
  engine        = "postgres"
  instance_class = "db.t3.medium"
  backup_retention_period = 14
  backup_window = "02:00-03:00"
  deletion_protection = true
  copy_tags_to_snapshot = true
}
 
resource "aws_db_instance" "main" {
  identifier    = "payment-db-prod"
  engine        = "postgres"
  instance_class = "db.t3.medium"
  backup_retention_period = 1
  # WAF-REL-040 Violation
  deletion_protection = false
  # WAF-REL-040 Violation
}

Remediation: Set backup_retention_period >= 7 and deletion_protection = true on aws_db_instance.

Evidence

Type Required Description

IaC

✅ Required

Terraform with backup configuration: retention, PITR, cross-account storage.

Process

✅ Required

Quarterly restore test report: RTO achieved, data integrity validated, signature.

Governance

Optional

RTO/RPO document per workload, reviewed annually.

Config

Optional

Backup monitoring alerts for job failures and aged-out backups.

Related Controls

Best Practice