Description:

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.


Rational:

With the Deletion Protection feature enabled, you can rest assured that your Amazon RDS database instances will not be deleted by accident and that your data will be protected.


Impact:

Deletion protection prevents users from deleting any existing or new RDS database cluster via the AWS Management Console, the CLI, or API requests unless the functionality is explicitly disabled.


Default value:

By default, deletion protection will be enabled while creating the Database.


Audit:

  1. Sign in to AWS Management Console 

  2. Navigate to RDS service at https://console.aws.amazon.com/rds

  3. In the DB Dashboard  from Resource, section click on DB Cluster or you can click on Database below the Dashboard

  4. Click on the database cluster that you want to examine and select the configurations tab

  5. In the configuration, you can see Deletion Protection Enable or Disable


Via CLI:

To describe DB instances query with Deletion protection

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier database-1
  --query 'DBInstances[*].DeletionProtection'


Remediation:

Pre-requisites:

  1. Need to sign in as admin or IAM user with the required permission

  2. Before any modification in your cluster, you should take a snapshot of the cluster as a backup


Implementation Steps:

  1. Sign in to AWS Management Console 

  2. Navigate to RDS service at https://console.aws.amazon.com/rds

  3. In the DB Dashboard  from Resource, section click on DB Cluster or you can click on Database below the Dashboard

  4. Choose Cluster to Enable the deletion protection and then click on Modify 

  5. In modify DB cluster page make sure the Enable Deletion Protection checkBox is checked and click on continue

  6. In the Scheduling of modifications section, perform one of the following actions based on your requirements:

    1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.

    2. Select Apply immediately to apply the changes right away.

  7. Click on Modify cluster


Via CLI:

To enable deletion protection in RDS cluster

aws rds modify-db-instance \
    --db-instance-identifier database-1 \
    --deletion-protection \
    --no-apply-immediately


Backout plan:

To revoke the changes made, do follow the same steps in the implementation section, but in step5 uncheck the Enable Deletion protection checkBox.


Reference:

  1. rds-cluster-deletion-protection-enabled - AWS Config 

  2. Amazon RDS Now Provides Database Deletion Protection 

  3. rds — AWS CLI 2.2.21 Command Reference