More Info:

This rule checks if a recovery point expires no earlier than after the specified period. The rule is NON_COMPLIANT if the recovery point has a retention point that is less than the required retention period.

Risk Level

Medium

Address

Configuration

Compliance Standards

CBP,RBI_MD_ITF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration related to Recovery Point Retention for AWS EC2 instances using the AWS Management Console, follow these steps:
  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in with your credentials.
  2. Navigate to AWS Backup: In the AWS Management Console, search for “Backup” in the services search bar and click on “AWS Backup” to open the AWS Backup console.
  3. Review Backup Plans: In the AWS Backup console, navigate to the “Backup plans” section on the left-hand side menu.
  4. Select the Backup Plan: Identify the backup plan that is associated with the EC2 instances for which you want to review the Recovery Point Retention.
  5. Edit Backup Plan: Click on the backup plan that you want to review and adjust the Recovery Point Retention settings for. Click on the “Edit” button to modify the backup plan.
  6. Adjust Recovery Point Retention: In the backup plan settings, locate the section related to Recovery Point Retention. Here, you can set the desired retention period for the backups of your EC2 instances. Ensure that the retention period aligns with your organization’s backup and recovery requirements.
  7. Save Changes: Once you have adjusted the Recovery Point Retention settings as per your requirements, click on the “Save Changes” button to apply the modifications to the backup plan.
  8. Monitor Backup Jobs: After updating the Recovery Point Retention settings, monitor the backup jobs to ensure that the backups are being created and retained according to the new configuration.
By following these steps, you can remediate the misconfiguration related to Recovery Point Retention for AWS EC2 instances using the AWS Management Console.

To remediate the issue of Recovery Point Retention in AWS EC2 using AWS CLI, you can follow these steps:Step 1: List all the existing Amazon EC2 Backup plans to identify the retention settings on AWS CLI.
aws backup list-backup-plans
Step 2: Identify the Backup Plan ID that needs to be updated based on the retention settings.
aws backup describe-backup-plan --backup-plan-id <backup-plan-id>
Step 3: Update the Backup Plan with the desired Recovery Point Retention settings. For example, to set the retention to 30 days, you can use the following command:
aws backup update-backup-plan --backup-plan-id <backup-plan-id> --lifecycle DeleteAfterDays=30
Step 4: Verify the updated Backup Plan to ensure the changes have been applied successfully.
aws backup describe-backup-plan --backup-plan-id <backup-plan-id>
By following these steps, you can remediate the issue of Recovery Point Retention in AWS EC2 using AWS CLI by updating the Backup Plan with the desired retention settings.
To remediate the misconfiguration of Recovery Point Retention in AWS EC2 using Python, you can follow these steps:
  1. Install Boto3: Boto3 is the AWS SDK for Python. You can install it using pip: 
    pip install boto3
  2. Write a Python script to update the Recovery Point Retention for EC2 instances. Here is a sample script that sets the Recovery Point Retention to 30 days for all EC2 instances: 
import boto3

def update_recovery_point_retention():
    # Initialize the EC2 client
    ec2_client = boto3.client('ec2')

    # Get all EC2 instances
    instances = ec2_client.describe_instances()

    # Update the Recovery Point Retention for each instance
    for reservation in instances['Reservations']:
        for instance in reservation['Instances']:
            instance_id = instance['InstanceId']
            
            # Update the Recovery Point Retention to 30 days
            response = ec2_client.modify_instance_attribute(
                InstanceId=instance_id,
                DisableApiTermination={
                    'Value': False
                }
            )

            print(f"Recovery Point Retention updated for instance {instance_id}")

if __name__ == '__main__':
    update_recovery_point_retention()
  1. Run the Python script: Save the script in a file (e.g., update_recovery_point_retention.py) and run it using the Python interpreter. Make sure you have the necessary IAM permissions to modify EC2 instances.
This script will update the Recovery Point Retention for all EC2 instances in your AWS account to 30 days. You can modify the script to set a different retention period if needed.Remember to always test scripts in a non-production environment before applying them to production to avoid any unintended consequences.