Profile Applicability:

  • Level 1

Description:

Amazon DocumentDB provides deletion protection to prevent accidental deletion of clusters. When deletion protection is enabled, the DocumentDB cluster cannot be deleted via the AWS Management Console, AWS CLI, or API unless the deletion protection is disabled first. This SOP ensures that DocumentDB clusters have deletion protection enabled to prevent the accidental loss of critical data and infrastructure.

Rationale:

  • Data Integrity: Ensures that critical data stored in DocumentDB clusters is protected from accidental deletion.

  • Operational Security: Prevents unauthorized or accidental deletion of database clusters, ensuring that business-critical systems remain operational.

  • Disaster Recovery: Helps to avoid unintentional loss of infrastructure, especially for production systems.

  • Compliance: Meets security and operational guidelines for safeguarding data and systems.

Impact:

Pros:

  • Prevents Accidental Deletion: Deletion protection ensures that clusters cannot be accidentally removed, reducing the risk of data loss.

  • Increased Data Availability: The feature ensures that critical databases are always available and can be recovered in case of failure.

  • Improved Security: Adds an extra layer of security for database clusters to protect against malicious actions or human error.

Cons:

  • Management Overhead: While helpful, deletion protection introduces an additional step to disable protection when legitimate deletion of a cluster is required.

  • Operational Complexity: Administrators must ensure they manage deletion protection settings when performing maintenance or cleanup tasks.

Default Value:

By default, deletion protection is disabled for DocumentDB clusters. It must be explicitly enabled at the time of cluster creation or modified afterward.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

  • AWS CLI installed and configured.

  • Ensure that you have the correct permissions to manage DocumentDB clusters.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB under Services.

  3. In the DocumentDB Dashboard, go to Clusters.

  4. Select the DocumentDB cluster you want to check.

  5. In the Configuration tab, check the Deletion Protection setting:

    • If Deletion Protection is enabled, it will show Enabled.

    • If Deletion Protection is disabled, it will show Disabled.

Using AWS CLI:

  1. To check if deletion protection is enabled for a DocumentDB cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

  2. Review the output:

  • If DeletionProtection is true, deletion protection is enabled for the cluster.

  • If DeletionProtection is false, deletion protection is not enabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon DocumentDB.

  2. In the DocumentDB Dashboard, select Clusters and choose the DocumentDB cluster you want to enable deletion protection for.

  3. Click Modify.

  4. Under the Deletion Protection section, enable Deletion Protection.

  5. Click Continue, then Apply Changes to enable deletion protection.

Using AWS CLI:

  1. To enable deletion protection for an existing DocumentDB cluster, run:

    aws rds modify-db-cluster --db-cluster-identifier <db-cluster-id> --deletion-protection --apply-immediately

  2. To verify that deletion protection has been enabled, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

Backout Plan:

Using AWS Console:

  1. If enabling Deletion Protection causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB, select the cluster, and click Modify.

  3. Disable Deletion Protection and save the changes.

  4. Monitor the cluster to ensure that Deletion Protection is now disabled and that it is possible to delete the cluster if needed.

Using AWS CLI:

  1. To disable Deletion Protection, run:

    aws docdb modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --no-deletion-protection --apply-immediately

  2. Verify that Deletion Protection is disabled:

    aws docdb describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.