Profile Applicability:

  • Level 1

Description:

Amazon RDS provides a deletion protection feature that prevents the accidental deletion of RDS database instances. When deletion protection is enabled, attempts to delete an RDS instance are blocked, ensuring that critical data and services are not accidentally removed. This feature is especially important in production environments where data loss can have serious consequences.

This SOP ensures that deletion protection is enabled for all RDS instances, adding an additional layer of security against accidental or unauthorized deletion of critical database instances.

Rationale:

  • Prevention of Accidental Deletion: Deletion protection safeguards critical database instances from being accidentally deleted, ensuring that data is not lost due to human error or unauthorized actions.

  • Business Continuity: Ensures that databases vital for business operations cannot be deleted without intentional intervention, minimizing potential downtime or loss of data.

  • Compliance: Many compliance frameworks (such as SOC 2, PCI-DSS, HIPAA) require data protection measures like deletion prevention to ensure that sensitive information is safeguarded.

Impact:

Pros:

  • Increased Security: Provides protection against accidental or unauthorized deletion of important database instances.

  • Improved Data Integrity: Ensures that database instances remain intact unless explicitly modified or deleted.

  • Operational Stability: Reduces the risk of disruptions to production environments caused by accidental deletions.

Cons:

  • Configuration Overhead: Enabling deletion protection requires an additional configuration step when creating or modifying an RDS instance.

  • Management Overhead: Deletion protection needs to be reviewed periodically to ensure that it is enabled for all critical instances.

  • Deletions: If an instance must be deleted, deletion protection must first be disabled, which could add a small amount of operational complexity.

Default Value:

By default, deletion protection is disabled for RDS instances. You must explicitly enable it when creating or modifying an RDS instance.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

  • AWS CLI installed and configured.

  • Ensure that the RDS instance is not in use in a manner that would require deletion protection to be disabled for legitimate purposes.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the DB instance you want to check.

  4. In the Configuration tab, verify the Deletion Protection setting:

    • If Deletion Protection is enabled, it will show as Enabled.

    • If Deletion Protection is disabled, it will show as Disabled.

  5. If deletion protection is disabled, click Modify, and under the Deletion Protection section, check the box to Enable Deletion Protection.

  6. Save the changes and ensure the RDS instance is protected from accidental deletion.

Using AWS CLI:

  1. To check if deletion protection is enabled for an RDS instance, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,DeletionProtection:DeletionProtection}'

  2. Review the output:

  • If DeletionProtection is true, deletion protection is enabled.

  • If DeletionProtection is false, deletion protection is not enabled.

  1. To enable deletion protection for an RDS instance, run:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --deletion-protection --apply-immediately

  2. Verify that deletion protection is now enabled:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,DeletionProtection:DeletionProtection}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the DB instance to configure.

  3. Click Modify.

  4. In the Deletion Protection section, check the box to Enable Deletion Protection.

  5. Review the settings and click Continue to apply the changes.

Using AWS CLI:

  1. To enable deletion protection for an RDS instance, run the following command:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --deletion-protection --apply-immediately

  2. Verify that deletion protection is enabled:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,DeletionProtection:DeletionProtection}'

Backout Plan:

Using AWS Console:

  1. If enabling deletion protection causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Uncheck the Deletion Protection option.

  4. Save the changes and verify that deletion protection has been disabled.

Using AWS CLI:

  1. To disable deletion protection, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --no-deletion-protection --apply-immediately

  2. Verify that deletion protection has been disabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.