Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Default Backup Schedules for Cloud Spanner Instances

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Spanner-002

Ensure that your Google Cloud Platform (GCP) Cloud Spanner instances have default backup schedules enabled to automatically protect new databases with scheduled backups. When enabled, Cloud Spanner automatically creates a full backup every 24 hours for all new databases created in the instance, with backups retained for 7 days by default.

Operational
excellence

By enabling default backup schedules for Cloud Spanner instances, organizations establish a foundational layer of automated data protection that ensures every new database is protected from day one without requiring manual intervention. This automation significantly reduces the risk of data loss due to human error, oversight, or delayed backup configuration, which are common causes of unprotected databases in production environments. Default backup schedules provide a consistent, predictable backup strategy across all databases in an instance, simplifying backup management and ensuring compliance with organizational data retention policies. Additionally, automated backup schedules reduce operational overhead by eliminating the need for administrators to remember to configure backups for each new database, allowing teams to focus on other critical tasks.

Important: While default backup schedules provide automated baseline protection, they may not meet all organizational requirements for recovery point objectives (RPO) or compliance mandates. Organizations should review and customize default backup schedules based on their specific needs, including adjusting backup frequency, retention periods, and encryption settings.

Audit

To determine if your Cloud Spanner instances have default backup schedules enabled, perform the following operations:

Using GCP Console

  1. Sign in to Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to Spanner console available at https://console.cloud.google.com/spanner.

  4. In the Instances page, click on the name of the Cloud Spanner instance that you want to examine.

  5. On the instance details page, click the three dots (⋮) in the top bar to open the more actions menu.

  6. Select Edit instance from the dropdown menu.

  7. On the Edit instance page, locate the Backups section and check if the Enable default backup schedules checkbox is checked.

  8. If the Enable default backup schedules checkbox is not checked, the instance does not have default backup schedules enabled and is not compliant. If it is checked, proceed to verify the schedules.

  9. Click Cancel to exit the Edit instance page without making changes.

  10. On the instance details page, navigate to the Backup/Restore section and select the Schedules tab.

  11. If the Schedules tab displays backup schedules, the instance is configured to automatically create default backup schedules for new databases created in the instance.

  12. If both the checkbox is enabled (step 7) and backup schedules are present (step 11), the instance is compliant.

  13. Repeat steps no. 4 – 12 for each Cloud Spanner instance in the selected project.

  14. Repeat steps no. 2 – 13 for each project available within your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account:

    gcloud projects list
	--format="table(projectId)"

  2. The command output should return the requested GCP project identifiers:

    PROJECT_ID
cc-spanner-project-112233
cc-database-project-445566

  3. Run spanner instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter to list all Cloud Spanner instances in the selected project:

    gcloud spanner instances list
	--project cc-spanner-project-112233
	--format="table(name)"

  4. The command output should return the Cloud Spanner instance names:

    NAME
cc-production-instance
cc-development-instance

  5. Run spanner instances describe command (Windows/macOS/Linux) using the name of the instance that you want to examine:

    gcloud spanner instances describe cc-production-instance
	--project cc-spanner-project-112233
	--format=json

  6. Check the defaultBackupScheduleType attribute value in the command output. If the defaultBackupScheduleType attribute is missing, set to NONE, or not set to AUTOMATIC, the selected Cloud Spanner instance does not have default backup schedules enabled, therefore the instance configuration is not compliant. If the defaultBackupScheduleType attribute is set to AUTOMATIC, the instance is configured to automatically create default backup schedules for new databases.

    {
	"config": "projects/cc-spanner-project-112233/instanceConfigs/regional-us-central1",
	"createTime": "2025-12-01T10:30:00.123456Z",
	"defaultBackupScheduleType": "AUTOMATIC",
	"displayName": "Production Spanner Instance",
	"name": "projects/cc-spanner-project-112233/instances/cc-production-instance",
	"nodeCount": 3,
	"processingUnits": 300,
	"state": "READY"
}

  7. Repeat steps no. 5 – 6 to verify the default backup schedule configuration for other Cloud Spanner instances in the selected project.

  8. Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To enable default backup schedules for your Google Cloud Spanner instances, you must update the instance configuration to set the default backup schedule type to automatic. This can be done for both new instances during creation or for existing instances using the update command. Once enabled, all new databases created in the instance will automatically have a default backup schedule that creates full backups every 24 hours with a 7-day retention period. Perform the following operations:

Important: Enabling default backup schedules on an existing Cloud Spanner instance only affects new databases created after the setting is enabled. Existing databases in the instance will not automatically receive default backup schedules; you must manually create backup schedules for existing databases if they do not already have them. The default backup schedule creates full backups every 24 hours and retains them for 7 days. Organizations with different backup frequency or retention requirements should customize the default schedule after enabling it or create custom backup schedules for specific databases. Default backup schedules can be edited or deleted at any time after creation. Backup schedules incur storage costs based on the size and number of backups retained, so organizations should monitor backup storage usage and costs.

Using GCP Console

  1. Sign in to Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that contains the Cloud Spanner instance you want to update from the console top navigation bar.

  3. Navigate to Spanner console available at https://console.cloud.google.com/spanner.

  4. In the Instances page, click on the name of the Cloud Spanner instance that you want to update.

  5. On the instance details page, click the three dots (⋮) in the top bar to open the more actions menu.

  6. Select Edit instance from the dropdown menu.

  7. On the Edit instance page, locate the Backups section.

  8. Check the Enable default backup schedules checkbox to enable automatic backup schedules for new databases.

  9. Click Save to apply the changes to the instance.

  10. Once default backup schedules are enabled, you can configure the settings by navigating to the Backup/Restore section on the instance details side panel menu and clicking on the Schedules tab. The default settings are:

    1. Backup frequency: Full backups every 24 hours
    2. Retention period: 7 days

  11. Verify that the instance configuration has been updated by checking the Schedules tab in the Backup/Restore section for default backup schedules.

  12. Repeat steps no. 4 – 11 for each Cloud Spanner instance that does not have default backup schedules enabled.

  13. Repeat steps no. 2 – 12 for each project available within your Google Cloud account.

Using GCP CLI

  1. Run spanner instances list command (Windows/macOS/Linux) to list all Cloud Spanner instances in the selected project (see Audit section part II to identify instances):

    gcloud spanner instances list
	--project cc-spanner-project-112233
	--format="table(name)"

  2. The command output should return the Cloud Spanner instance names:

    NAME
cc-production-instance
cc-development-instance

  3. Run spanner instances describe command (Windows/macOS/Linux) to check the current default backup schedule configuration for an instance:

    gcloud spanner instances describe cc-production-instance
	--project cc-spanner-project-112233
	--format="json(defaultBackupScheduleType)"

  4. The command output will show the current configuration. If defaultBackupScheduleType is missing or set to NONE, the instance needs remediation:

    {
	"defaultBackupScheduleType": "NONE"
}

  5. Run spanner instances update command (Windows/macOS/Linux) to enable default backup schedules for the non-compliant instance:

    gcloud spanner instances update cc-production-instance
	--default-backup-schedule-type AUTOMATIC
	--project cc-spanner-project-112233

  6. The command output should confirm the instance update:

    Updating instance...done.

  7. Run spanner instances describe command (Windows/macOS/Linux) to verify that default backup schedules are now enabled:

    gcloud spanner instances describe cc-production-instance
	--project cc-spanner-project-112233
	--format="json(defaultBackupScheduleType)"

  8. The command output should confirm that default backup schedules are enabled:

    {
	"defaultBackupScheduleType": "AUTOMATIC"
}

  9. Repeat steps no. 3 – 8 for each Cloud Spanner instance that does not have default backup schedules enabled.

  10. Repeat steps no. 1 – 9 for each project available within your Google Cloud account.

References

Publication date Jan 22, 2026

Related Spanner rules