Checks whether the retention period of each automatic snapshot for an Elastic Compute Service (ECS) instance meets a specified minimum number of days. If the retention period exceeds the threshold, the evaluation result is Compliant.
Scenarios
Automatic snapshots are agentless backups that support disk restoration, image creation, and disaster recovery. If snapshots expire before an incident is detected and remediated, the recovery window may be lost.
Use this rule to verify that your automatic snapshot policies meet your organization's minimum retention requirements.
Risk level
Default risk level: low.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
If the retention period of each automatic snapshot is greater than the specified number of days, the evaluation result is Compliant.
If the retention period of an automatic snapshot is less than or equal to the specified number of days, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | ecs-snapshot-retention-days |
| Rule identifier | ecs-snapshot-retention-days |
| Tag | ECS and Snapshot |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | Automatic snapshot policy |
| Input parameter | days. Default value: 7. Unit: days.Note Separate multiple values with commas (,). |
Incompliance remediation
Update your automatic snapshot policy to set a retention period greater than the minimum specified in Cloud Config. For more information, see Modify policy.