Description:
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
Rational:
With the Deletion Protection feature enabled, you can rest assured that your Amazon RDS database instances will not be deleted by accident and that your data will be protected.
Impact:
Deletion protection prevents users from deleting any existing or new RDS database cluster via the AWS Management Console, the CLI, or API requests unless the functionality is explicitly disabled.
Default value:
By default, deletion protection will be enabled while creating the Database.
Audit:
Sign in to AWS Management Console
Navigate to RDS service at https://console.aws.amazon.com/rds
In the DB Dashboard from Resource, section click on DB Cluster or you can click on Database below the Dashboard
Click on the database cluster that you want to examine and select the configurations tab
In the configuration, you can see Deletion Protection Enable or Disable
Via CLI:
To describe DB instances query with Deletion protection
aws rds describe-db-instances
--region us-east-1
--db-instance-identifier database-1
--query 'DBInstances[*].DeletionProtection'
Remediation:
Pre-requisites:
Need to sign in as admin or IAM user with the required permission
- Before any modification in your cluster, you should take a snapshot of the cluster as a backup
Implementation Steps:
Sign in to AWS Management Console
Navigate to RDS service at https://console.aws.amazon.com/rds
In the DB Dashboard from Resource, section click on DB Cluster or you can click on Database below the Dashboard
Choose Cluster to Enable the deletion protection and then click on Modify
In modify DB cluster page make sure the Enable Deletion Protection checkBox is checked and click on continue
In the Scheduling of modifications section, perform one of the following actions based on your requirements:
Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
Select Apply immediately to apply the changes right away.
- Click on Modify cluster
Via CLI:
To enable deletion protection in RDS cluster
aws rds modify-db-instance \
--db-instance-identifier database-1 \
--deletion-protection \
--no-apply-immediately
Backout plan:
To revoke the changes made, do follow the same steps in the implementation section, but in step5 uncheck the Enable Deletion protection checkBox.