Configure a Backup Compliance Policy
On this page
If you have strict data protection requirements, you can enable a Backup Compliance Policy to protect your backup data.
Important
You Can't Disable a Backup Compliance Policy
After you enable a Backup Compliance Policy, only MongoDB support can disable it with a request from the security or legal representative specified for the Backup Compliance Policy. Only the security or legal representative specified for the Backup Compliance Policy can make this request.
To disable a Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Before you enable a Backup Compliance Policy, carefully review the prohibited actions and considerations. You can re-enable a Backup Compliance Policy at any time.
Prohibited Actions
If you enable a Backup Compliance Policy, no user, regardless of role, can do the following actions:
Disable the Backup Compliance Policy without MongoDB support. To disable a Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Note
The only exception applies to empty projects that contain no active or paused clusters and no retained snapshots from previously terminated clusters. If a project is empty, users with the
Organization Owner
role or theProject Owner
role can disable the Backup Compliance Policy.Modify the backup policy for an individual cluster below the minimum requirements set in the Backup Compliance Policy.
Decrease the retention time for a snapshot after it's taken.
Disable Cloud Backup.
Disable Continuous Cloud Backup if the Backup Compliance Policy has the Require Point in Time Restore to all clusters option set to On without MongoDB Support. To disable Continuous Cloud Backup, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Reduce the Continuous Cloud Backup Restore Window without MongoDB Support. To reduce the Continuous Cloud Backup Restore Window, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Delete policy items specified in the Backup Compliance Policy without MongoDB Support. To delete policy items specified in the Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Delete the project if any snapshots exist. If you can't remove all projects, you can't delete the organization.
Considerations
After you enable a Backup Compliance Policy, the following behaviors apply:
A Backup Compliance Policy limits your ability to reduce backup storage costs. You can't adjust the retention or delete a backup to reduce the backup storage costs. To learn more, see Manage Billing.
All new and existing clusters have Cloud Backup automatically enabled and use the project-level Backup Compliance Policy. Atlas augments any preexisting cluster-level backup policies to meet the minimum requirements of the Backup Compliance Policy. All new clusters use the Backup Compliance Policy unless the mininum requirements of the cluster-level backup policy expand beyond the mininum requirements of the Backup Compliance Policy.
You can modify the cluster-level backup policies at any time. If you reduce the frequency of a cluster-level backup policy, the change applies only to future backups. Any existing oplog remains for the original window. The minimum requirements of the Backup Compliance Policy apply.
If the Backup Compliance Policy has the Keep all snapshots when removing additional snapshot regions option set to On and you enable, modify, or delete multi-region snapshots, any snapshots already taken remain.
When you resume a cluster, Atlas automatically enables Cloud Backup. If the Backup Compliance Policy has the Require Point in Time Restore to all clusters option set to On, Atlas automatically enables Continuous Cloud Backup and adjusts the restore window according to the Backup Compliance Policy. Atlas automatically modifies the backup to meet the minimum requirements of the Backup Compliance Policy.
If you terminate a cluster, Atlas maintains all existing snapshots after the termination according to your backup policy. Atlas retains the oplog for restoring a point in time with continuous cloud backup in a static state until Atlas can no longer use them for continuous cloud backup.
If you terminate a cluster, you can't create another cluster with the same name because Atlas uses the name to identify snapshots.
Whenever a user enables, modifies, or disables a Backup Compliance Policy, Atlas reflects the event in the Project Activity Feed.
Required Access
To configure a Backup Compliance Policy, you must have Project Owner
access to the project.
Users with Organization Owner
access must add themselves as a Project Owner
to the project before configuring a Backup Compliance Policy.
Prerequisites
Only MongoDB Support can do the following actions:
Disable the Backup Compliance Policy.
Disable Continuous Cloud Backup if the Backup Compliance Policy has the Require Point in Time Restore to all clusters option set to On.
Reduce the Continuous Cloud Backup Restore Window.
Delete policy items specified in the Backup Compliance Policy.
Only the specified security or legal representative can request support.
You can apply a Backup Compliance Policy to
M10+
dedicated clusters only.Note
You can't convert a dedicated cluster to a
M0
free clusters, anM2
orM5
shared cluster, or a serverless instance.
Procedure
To enable the backup compliance policy for your project using the Atlas CLI, run the following command:
atlas backups compliancePolicy enable [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas backups compliancePolicy enable.
The Atlas Administration API provides the endpoint in the Cloud Backups resource to update or enable the Backup Compliance Policy settings for the project.
In Atlas, go to the Project Settings page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Project Settings.
The Project Settings page displays.
Enable the Backup Compliance Policy.
Important
You Can't Disable a Backup Compliance Policy
After you enable a Backup Compliance Policy, only MongoDB support can disable it with a request from the security or legal representative specified for the Backup Compliance Policy. Only the security or legal representative specified for the Backup Compliance Policy can make this request.
To disable a Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Before you enable a Backup Compliance Policy, carefully review the prohibited actions and considerations. You can re-enable a Backup Compliance Policy at any time.
Toggle Backup Compliance Policy to On.
The Edit Backup Compliance Policy dialog box opens.
Note
This Backup Compliance Policy applies as the minimum backup policy to all clusters in the project. The Backup Compliance Policy protects all existing snapshots. The Backup Compliance Policy prevents any user, regardless of role, from modifying or deleting existing snapshots prior to their expiration. Changes made to this Backup Compliance Policy apply only to future snapshots. If you enable a Backup Compliance Policy, the Backup Compliance Policy limits your ability to reduce backup storage costs. You can't adjust the retention or delete a backup to reduce the backup storage costs.
Configure your backup policy.
Each row in the Backup Policy Frequency and Retention table represents a backup policy item.
Important
After you save the Backup Compliance Policy, you can't delete policy items specified in the Backup Compliance Policy without MongoDB Support. To delete policy items specified in the Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process. Ensure that you have the correct policy items before you save the Backup Compliance Policy.
Do one of the following steps:
Select the frequency unit from Frequency Unit for a policy item.
Click Add Frequency Unit to add a new policy item to your backup policy.
Select the frequency for the frequency unit from the Every column.
Specify the retention time for the policy item in the Retention Time column and the units for the retention time in the column to the right.
(Optional) Configure the restore window.
Toggle Require Point in Time Restore to all clusters to On.
Specify a Restore Window.
Important
You can't configure a restore window that is longer than the Hourly Snapshot Retention Time. After you save this Backup Compliance Policy, you can't change this setting without MongoDB support. To change this setting, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
(Optional) Require Encryption at Rest using Customer Key Management for all clusters.
Toggle Require Encryption at Rest using Customer Key Management for all clusters to On.
Note
To enable this option, you must Enable Encryption at Rest for all current clusters. You can't enable this option on paused clusters that don't have Encryption at Rest enabled.
(Optional) Keep all snapshots when removing additional snapshot regions.
You can prevent cluster users from deleting backups copied to other regions even if you change the Copy to other regions option to Off. To learn more, see Configure Atlas to Automatically Copy Snapshots to Other Regions.
Toggle Keep all snapshots when removing additional snapshot regions to On.
Confirm and save the Backup Compliance Policy.
Click Next.
Important
You Can't Disable a Backup Compliance Policy
After you enable a Backup Compliance Policy, only MongoDB support can disable it with a request from the security or legal representative specified for the Backup Compliance Policy. Only the security or legal representative specified for the Backup Compliance Policy can make this request.
To disable a Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process.
Before you enable a Backup Compliance Policy, carefully review the prohibited actions and considerations. You can re-enable a Backup Compliance Policy at any time.
Specify the First Name and Last Name of a security or legal representative.
Specify the Email address of a representative.
Important
An invalid or incorrect email address prevents you from modifying or enabling this Backup Compliance Policy until you correct it with MongoDB Support. Specify the email address that the representative uses to sign into the Support portal.
If you are sure that you want to save the Backup Compliance Policy, specify the project name to continue.
Click the checkbox to confirm that you understand that when you enable a Backup Compliance Policy, no user, regardless of role, can modify or delete backup snapshots. If you enable a Backup Compliance Policy, the Backup Compliance Policy limits your ability to reduce backup storage costs and you can not adjust the retention or delete a backup to reduce backup storage costs. Only MongoDB Support can disable a Backup Compliance Policy. Only the specified security or legal representative can request support to disable a Backup Compliance Policy.
Click Confirm and Save.
View Projects that have a Backup Compliance Policy Enabled
To return the backup compliance policy for your project using the Atlas CLI, run the following command:
atlas backups compliancePolicy describe [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas backups compliancePolicy describe.
The Atlas Administration API provides the endpoint in the Cloud Backups resource to retrieve the Backup Compliance Policy settings for the project.
A Backup Compliance Policy icon appears next to each project name that has a Backup Compliance Policy enabled.
In Atlas, go to the Projects page for your organization.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Click the Leaf icon in the upper left corner of the page.
Click the Organization Settings icon next to the Organizations menu, then click Projects in the sidebar.
Expand the Projects menu in the navigation bar, then click View All Projects.
The Projects page displays.
View Backup Details for Dedicated Clusters
You can view backup details for all M10+
dedicated clusters
including deleted clusters with retained snapshots.
To view backup details:
In Atlas, go to the Backup details for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Backup under the Security heading.
The Backup details display.
Extra Snapshot Retention
When a Backup Compliance Policy is enabled for your project, you can also configure extra snapshot retention to retain snapshots beyond the Backup Compliance Policy protection period. Your snapshots remain fully protected and users can't delete them during the Backup Compliance Policy period. During the extra snapshot retention period, snapshots are unprotected again and any user with the appropriate role can delete them. When the extra snapshot retention period ends, Atlas deletes the snapshots automatically. Any changes apply to all existing and future snapshots for that frequency unit. The extra snapshot retention time remains the same even if the Backup Compliance Policy changes.
To learn more, see Configure Extra Snapshot Retention.