DocumentDB clusters should have an adequate backup retention period

A single day of backup retention leaves almost no room for recovery when corruption, accidental deletion, or ransomware goes undetected for more than 24 hours. Seven days gives operations teams a realistic window to identify issues and restore to a known-good snapshot.

DocumentDB automated backups are continuous and incremental, so extending retention from 1 to 7 days adds minimal storage cost relative to the data protection it provides. Skipping this setting is one of the most common oversights in new DocumentDB deployments because the AWS default of 1 day silently passes terraform apply without complaint.

Retrofit consideration

Changing backup_retention_period on a running cluster triggers no downtime, but verify that backup storage costs are acceptable before applying to large clusters.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_docdb_cluster.

resource "aws_docdb_cluster" "this" {
  backup_retention_period         = 7
  cluster_identifier              = "pofix-abc123"
  db_subnet_group_name            = "example-docdb-subnet-group"
  enabled_cloudwatch_logs_exports = ["audit", "profiler"]
  master_password                 = "ChangeMe123!"
  master_username                 = "dbadmin"
  skip_final_snapshot             = true
}

What this control checks

The aws_docdb_cluster resource must have backup_retention_period explicitly set to 7 or higher. If the argument is omitted, the AWS default of 1 day applies and the control fails. Any integer from 7 through 35 (the AWS maximum) passes; values below 7 fail. The preferred_backup_window argument is separate and does not affect this control, but setting it alongside backup_retention_period is worth doing to avoid backup I/O during peak hours.

Common pitfalls

AWS default retention is 1 day
Omitting backup_retention_period from aws_docdb_cluster does not produce a Terraform error. The provider sends no value, AWS defaults to 1, and the control fails silently. Always set the argument explicitly.
Terraform plan shows no diff after manual console change
If someone raises retention to 7 in the AWS console but the Terraform code still declares backup_retention_period = 1, the next terraform apply will revert it. Keep Terraform state and code in sync.
Snapshot retention vs. automated backup retention
Manual snapshots created via aws_docdb_cluster_snapshot persist indefinitely and are not governed by backup_retention_period. This control only evaluates the automated continuous backup window, not manual snapshots.

Audit evidence

Auditors expect AWS Config rule evaluation results showing each DocumentDB cluster marked COMPLIANT, or an equivalent report from a CSPM tool. A screenshot of the DocumentDB console showing the "Backup retention period" column at 7 or above across all clusters also works. For a machine-readable list, run aws docdb describe-db-clusters --query "DBClusters[*].{Cluster:DBClusterIdentifier,Retention:BackupRetentionPeriod}". CloudTrail ModifyDBCluster events can confirm when retention was last changed and by whom.

Framework-specific interpretation

PCI DSS v4.0: Seven days of automated backup retention gives incident responders the window Requirement 12.10.1 assumes when it calls for documented backup and recovery procedures. Without a realistic backup horizon, those procedures exist on paper but not in practice.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: docdb_cluster_backup_retention_period_7_days
AWS Config Managed Rule: DOCDB_CLUSTER_BACKUP_RETENTION_CHECK
Checkov Check: CKV_AWS_360
Powerpipe Control: aws_compliance.control.docdb_cluster_backup_retention_period_7_days
Prowler Check: documentdb_cluster_backup_enabled
AWS Security Hub Control: DocumentDB.2

Last reviewed: 2026-03-09