Profile Applicability:

  • Level 2

Description:

Amazon RDS provides deletion protection for database clusters to safeguard against accidental deletion of critical data. When deletion protection is enabled, RDS instances cannot be deleted unless this protection is manually disabled. This feature helps prevent the loss of important production databases due to accidental operations. It is essential to ensure that deletion protection is enabled on all production RDS clusters to enhance security and ensure business continuity.

Rationale:

  • Prevents Accidental Deletion: Deletion protection ensures that RDS clusters cannot be deleted by mistake, safeguarding critical database instances.

  • Business Continuity: Prevents disruptions by ensuring that databases required for operations cannot be unintentionally removed.

  • Data Integrity: Helps ensure that valuable data is not lost due to human error or unintended actions.

  • Security: Adds an extra layer of protection for sensitive or mission-critical systems and ensures that only authorized personnel can delete the database.

Impact:

Pros:

  • Prevents Accidental Data Loss: Eliminates the risk of database deletion due to human error.

  • Improved Security: Helps protect critical data by preventing unauthorized deletion.

  • Compliance: Meets best practices for data protection, ensuring that the database cannot be deleted without proper safeguards in place.

Cons:

  • Requires Manual Disabling: In case the RDS cluster needs to be deleted, deletion protection must be manually disabled, which adds an extra step to the process.

  • Operational Overhead: Although minimal, there is a slight increase in operational overhead to ensure deletion protection is consistently enabled.

Default Value:

By default, deletion protection is disabled for RDS clusters. It must be explicitly enabled during instance creation or modified afterward.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • rds:CreateDBCluster

  • AWS CLI installed and configured.

  • Ensure that RDS clusters support deletion protection, based on their engine type and configuration.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the RDS cluster you want to check.

  4. In the Configuration tab, check the Deletion Protection setting:

    • If Deletion Protection is enabled, it will be set to Yes.

    • If Deletion Protection is not enabled, it will show No.

  5. If Deletion Protection is not enabled, click Modify, and under the Database Options section, enable Enable Deletion Protection.

  6. Save the changes and verify that Deletion Protection is now enabled for the RDS cluster.

Using AWS CLI:

  1. To check if Deletion Protection is enabled for an RDS cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

  2. Review the output:

  • If DeletionProtection is true, deletion protection is enabled.

  • If DeletionProtection is false, deletion protection is not enabled.

  1. To enable Deletion Protection for an RDS cluster, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --deletion-protection --apply-immediately

  2. Verify that Deletion Protection is enabled:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS cluster for which you want to enable deletion protection.

  3. Click Modify.

  4. In the Database Options section, check the box to Enable Deletion Protection.

  5. Click Continue, then Apply Changes to enable deletion protection.

Using AWS CLI:

  1. To enable Deletion Protection for an RDS cluster, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --deletion-protection --apply-immediately

  2. To verify that Deletion Protection is enabled, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

Backout Plan:

Using AWS Console:

  1. If enabling Deletion Protection causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Uncheck the Deletion Protection option.

  4. Save the changes and verify that the cluster is no longer protected from deletion.

Using AWS CLI:

  1. To disable Deletion Protection, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --no-deletion-protection --apply-immediately

  2. Verify that Deletion Protection has been disabled:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.