RDS Clean up Old manual backups

Opportunity Name

RDS Clean up Old manual backups (RdsDeleteOldManualSnapshot)

AWS Resource Type (AWS service name)

Amazon RDS (DB snapshots + DB cluster snapshots)

Opportunity Description

Amazon RDS supports automated backups (which follow a retention policy) and manual snapshots (DB instance snapshots and DB cluster snapshots). Manual snapshots do not expire automatically and continue to incur storage charges until they’re deleted. This CloudFix Finder identifies old manual RDS snapshots that are likely no longer needed and (optionally) cleans them up to reduce ongoing snapshot storage costs. To protect recovery readiness, it also excludes any snapshots that were used for restore operations recently, based on CloudTrail restore events (within a configurable window). 

Criteria for identifying the opportunity

CloudFix identifies candidate snapshots using CUR + AWS APIs and then applies validation filters:

Snapshot type & state

• Snapshot must exist (DB snapshot or DB cluster snapshot)

• Snapshot must be manual (SnapshotType = manual)

• Snapshot must be in available state (exclude creating/copying/restoring/deleting)

Age threshold (N days)

• Snapshot create time is older than N days (SnapshotCreateTime < now - N days)

• Default: N = 90 days (configurable)

Protection / exclusion rules

• Exclude snapshots used for a restore within the last M days by checking CloudTrail events:

  • RestoreDBInstanceFromDBSnapshot

  • RestoreDBClusterFromSnapshot
    CloudTrail LookupEvents supports searching events up to the last 90 days. (AWS Documentation)

• Default: M = 30 days (configurable)

Cost threshold

• Annualized snapshot cost must be > $100 (based on CUR-derived amortized estimate in the spec)

Potential Savings (if known)

Savings are typically the snapshot storage costs avoided after deletion. Manual snapshot storage is billable until deleted, so savings begin accruing once snapshots are removed. (AWS Documentation)

(Note: exact savings can be non-linear for incremental snapshot chains; CloudFix reports an estimate based on CUR and/or storage size.)

What happens when the Fixer is Executed?

This opportunity does have a Fixer.

When executed, CloudFix will:

• Re-validate the snapshot is still manual and available

• Re-check exclusion rules (tag protection + “recently restored” protection)

• Delete the snapshot:

  • DB instance snapshot: DeleteDBSnapshot

  • DB cluster snapshot: DeleteDBClusterSnapshot (docs.amazonaws.cn)

• Mark the resource in tracking mode as deleted (target config: snapshotDeleted = true)

Is it possible to roll back once CloudFix implements the Fixer?

No. Snapshot deletion is irreversible—once deleted, it cannot be restored. This is why the Finder includes strict safety gates (manual-only + available-only + “recent restore” exclusion + tag exemptions) before allowing deletion. (AWS Documentation)

Can CloudFix implement the fix automatically once I accept the recommendation?

Yes. This is a Finder + Fixer. If enabled in your CloudFix configuration and permissions allow, CloudFix can delete eligible snapshots automatically after acceptance.

Does the fix require downtime?

No. Deleting a manual snapshot does not require database downtime. (It does, however, permanently remove that restore point.)

Additional Resources

• Managing manual backups (manual snapshot concepts and lifecycle): https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ManagingManualBackups.html (AWS Documentation)

• Deleting a DB snapshot (console/CLI/API guidance): https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteSnapshot.html (AWS Documentation)

• DeleteDBSnapshot API (requirements such as available state): https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSnapshot.html (docs.amazonaws.cn)

• DeleteDBClusterSnapshot API: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBClusterSnapshot.html (AWS Documentation)

• CloudTrail LookupEvents API (90-day lookup window): https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html (AWS Documentation)