Enable Immutable Backup Retention

Risk Level: High (not acceptable risk)

Rule ID: OCI-AutonomousAIDatabase-002

Ensure that immutable backup retention is enabled for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases in order to protect your critical database backups from accidental deletion, malicious attacks, and ransomware.

Security

Enabling immutable backup retention permanently locks the defined backup retention period, thus preventing any user, malicious actor, or process from altering this setting or deleting the backups prematurely. You should leverage this retention lock feature as a vital security measure to safeguard your critical data backups against unauthorized or accidental modifications, deliberate deletion attempts, and sophisticated ransomware threats.

Audit

To determine if immutable backup retention is enabled for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.
For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.
Click on the name (link) of the Autonomous AI Database that you want to examine, listed in the Display Name column.
Select the Autonomous AI Database information tab to access the backup configuration settings available for the selected database instance.
In the Backup section, choose Edit next to Automatic backup retention period to access the backup retention configuration.
On the Edit backup retention panel, check the Immutable backup retention toggle button to determine the feature status. If the Immutable backup retention button is switched off, immutable backup retention is not enabled for the selected OCI Autonomous AI Database.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:
```
oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'
```

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database get command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to examine as the identifier parameter and custom output filters to determine if backup retention is locked for the selected database instance:
```
oci db autonomous-database get
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."is-backup-retention-locked"'
```
The command output should return the feature status (true for enabled, false for disabled):
```
false
```
If the db autonomous-database get command output returns false, as shown in the output example above, immutable backup retention is not enabled for the selected OCI Autonomous AI Database.

Remediation / Resolution

To ensure that immutable backup retention is enabled for your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.
For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.
Click on the name (link) of the Autonomous AI Database that you want to configure, listed in the Display Name column.
Select the Autonomous AI Database information tab to access the backup configuration settings available for the selected database instance.
In the Backup section, choose Edit next to Automatic backup retention period to access the backup retention configuration.
On the Edit backup retention panel, toggle the Immutable backup retention button to enable immutable backup retention for the selected OCI Autonomous AI Database. Choose Save to apply the changes. This locks the backup retention period, preventing any further changes.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:
```
oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'
```

The command output should return the requested database instance IDs:

[
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run db autonomous-database update command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to configure as the identifier parameter, to enable immutable backup retention for the selected database instance. This locks the backup retention period, preventing any further changes:
```
oci db autonomous-database update
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--is-backup-retention-locked true
```

The command output should return the configuration information available for the modified database instance:

{
	"data": {
		"allocated-storage-size-in-tbs": 0.0078125,
		"are-primary-whitelisted-ips-used": null,
		"auto-refresh-frequency-in-seconds": null,
		"auto-refresh-point-lag-in-seconds": null,
		"autonomous-container-database-id": null,
		"autonomous-maintenance-schedule-type": "REGULAR",
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"failed-data-recovery-in-seconds": null,
		"freeform-tags": {},
		"id": "ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"in-memory-area-in-gbs": null,
		"in-memory-percentage": null,
		"infrastructure-type": null,
		"is-access-control-enabled": null,
		"is-auto-scaling-enabled": true,
		"is-auto-scaling-for-storage-enabled": true,
		"is-backup-retention-locked": true,
		"is-data-guard-enabled": true,
		"is-dedicated": false,
		"is-dev-tier": null,
		"is-free-tier": false,
		"is-local-data-guard-enabled": false,
		"is-mtls-connection-required": true,
		"is-preview": false,
		"is-reconnect-clone-enabled": false,
		"is-refreshable-clone": null,
		"is-remote-data-guard-enabled": false,
		"key-store-wallet-name": null,
		"kms-key-id": "ORACLE_MANAGED_KEY",

		...

		"license-model": "LICENSE_INCLUDED",
		"lifecycle-details": null,
		"lifecycle-state": "UPDATING",
		"local-adg-auto-failover-max-data-loss-limit": null,
		"local-disaster-recovery-type": "BACKUP_BASED",
		"time-data-guard-role-changed": null,
		"time-deletion-of-free-autonomous-database": null,
		"time-disaster-recovery-role-changed": null,
		"time-earliest-available-db-version-upgrade": "2025-12-13T14:10:00+00:00",
		"time-latest-available-db-version-upgrade": "2025-12-13T13:40:00+00:00",
		"time-local-data-guard-enabled": "2025-12-13T09:27:58.721000+00:00",
		"time-maintenance-begin": "2025-12-15T06:00:00+00:00",
		"time-maintenance-end": "2025-12-15T08:00:00+00:00",
		"time-of-auto-refresh-start": null,
		"time-of-joining-resource-pool": null,
		"time-of-last-failover": null,
		"time-of-last-refresh": null,
		"time-of-last-refresh-point": null,
		"time-of-last-switchover": null,
		"time-of-next-refresh": null,
		"time-reclamation-of-free-autonomous-database": null,
		"time-scheduled-db-version-upgrade": null,
		"time-undeleted": null,
		"time-until-reconnect-clone-enabled": null,
		"total-backup-storage-size-in-gbs": 0.0,
		"used-data-storage-size-in-gbs": null,
		"used-data-storage-size-in-tbs": null,
		"vanity-connection-urls": null,
	},
	"etag": "abcd1234",
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Oracle Cloud Infrastructure Documentation
Backup and Restore Autonomous AI Database Instances
Edit Automatic Backup Retention Period on Autonomous AI Database

Oracle Cloud Infrastructure CLI Documentation
compartment list
autonomous-database list
autonomous-database get
autonomous-database update

Publication date Dec 3, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-AutonomousAIDatabase rules