Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instances Should Have Deletion Protection Enabled

This rule ensures that RDS DB instances have deletion protection enabled.

RuleRDS DB instances should have deletion protection enabled
FrameworkCISA-cyber-essentials
Severity
Critical

RDS DB Instance Deletion Protection for CISA-Cyber Essentials Rule

Description:

The RDS (Relational Database Service) in AWS provides managed database instances for various database engines. To ensure compliance with CISA-Cyber Essentials guidelines, it is required to enable deletion protection for RDS DB instances.

Troubleshooting Steps:

If deletion protection is not enabled for an RDS DB instance, the following steps can be taken to troubleshoot and rectify the issue:

  1. 1.

    Identify the affected RDS DB instances: Review the list of RDS instances associated with the account and identify the ones that do not have deletion protection enabled.

  2. 2.

    Verify the CISA-Cyber Essentials policy: Double-check the specific policy requirements to confirm that deletion protection is required for all RDS instances.

  3. 3.

    Modify the affected RDS DB instance: Access the AWS Management Console or use the AWS CLI/API to modify the RDS instance settings.

  4. 4.

    Enable deletion protection: Modify the RDS instance by enabling deletion protection using the appropriate AWS Management Console or CLI/API command.

  5. 5.

    Verify the changes: After modifying the RDS instance, verify that deletion protection is now enabled. Check the instance configuration to ensure the setting has been updated successfully.

Necessary Code:

The necessary CLI commands to enable deletion protection for an RDS DB instance are as follows:

aws rds modify-db-instance --db-instance-identifier <instance-identifier> --deletion-protection true

Replace

<instance-identifier>
with the identifier of the RDS instance you want to enable deletion protection for.

Step-by-Step Guide for Remediation:

  1. 1.

    Identify the affected RDS DB instances: Log in to the AWS Management Console and navigate to the RDS service. Select the specific region where your instances are located.

  2. 2.

    Review the RDS instances: In the RDS dashboard, locate the list of DB instances associated with your account. Identify the instances without deletion protection.

  3. 3.

    Confirm CISA-Cyber Essentials requirement: Check the CISA-Cyber Essentials policy to verify that deletion protection is required for all RDS instances.

  4. 4.

    Enable deletion protection: Use the AWS Management Console or the AWS CLI/API to enable deletion protection for the RDS instance.

    • For AWS Management Console:

      • Click on the target RDS DB instance name.
      • Go to the "Instance actions" menu and select "Modify".
      • Scroll down to the "Database Options" section.
      • Enable the "Deletion protection" option.
      • Click the "Apply immediately" button to save the changes.
    • For AWS CLI:

      • Open the terminal or command prompt.

      • Execute the following command, replacing

        <instance-identifier>
        with the identifier of the RDS instance:

        aws rds modify-db-instance --db-instance-identifier <instance-identifier> --deletion-protection true
        
  5. 5.

    Verify the changes: Check the RDS instance configuration to confirm that deletion protection is now enabled. Review the instance details or use the

    describe-db-instances
    CLI command to ensure the setting has been updated successfully:

    • AWS CLI:

      aws rds describe-db-instances --db-instance-identifier <instance-identifier> --query 'DBInstances[0].[DBInstanceIdentifier,DeletionProtection]'
      

    Ensure that the output displays the correct instance identifier and

    true
    value for deletion protection.

By following these steps, you can enable deletion protection for the RDS DB instances and ensure compliance with CISA-Cyber Essentials guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now