Description:

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.


Rational:

With the Deletion Protection feature enabled, you can rest assured that your Amazon RDS database instances will not be deleted by accident and that your data will be protected.


Impact:

Deletion protection prevents users from deleting any existing or new RDS database instances via the AWS Management Console, the CLI, or API requests unless the functionality is explicitly disabled.


Default value:

By default, deletion protection will be enabled while creating the Database.


Pre-requisites:

  1. Need to sign in as admin or IAM user with the required permission



Remediation:


Test Plan:

  1. Sign in to AWS Management Console 

  2. Navigate to RDS service at https://console.aws.amazon.com/rds

  3. Click on Databases in the left navigation pane

  4. Click on the database that you want to examine and select the configurations tab

  5. Under the configurations, tab check the Deletion protection column whether it’s enabled or disabled
    If you notice Deletion Protection is Disabled follow the implementation steps to enable it.



Using AWS CLI:

To describe the deletion protection  

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier cc-project5-db-instance
  --query 'DBInstances[*].DeletionProtection'


Implementation Steps:

  1. Sign in to AWS Management Console 

  2. Navigate to RDS service at https://console.aws.amazon.com/rds

  3. Click on Databases in the left navigation pane

  4. Select the database that you want to edit and click on Modify

  5. In modify DB Instance page make sure the Enable Deletion Protection checkBox is checked and click on continue

  6. In the Scheduling of modifications section, perform one of the following actions based on your requirements:

    1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.

    2. Select Apply immediately to apply the changes right away.

  7. Click on Modify DB Instance


Using AWS CLI:

aws rds modify-db-instance
  --region us-east-1
  --db-instance-identifier cc-project5-db-instance
  --deletion-protection
  --apply-immediately


Backout plan:

To revoke the changes made, do follow the same steps in the implementation section, but in step5 uncheck the Enable Deletion protection checkBox.


Using AWS CLI:

To disable the deletion protection 

modify-db-instance
--db-instance-identifier <value>
--no-deletion-protection]
--apply-immediately

References:

Amazon RDS DB instances - Amazon Relational Database Service