This rule ensures that RDS DB instances have deletion protection enabled.
Rule | RDS DB instances should have deletion protection enabled |
Framework | CISA-cyber-essentials |
Severity | ✔ Critical |
RDS DB Instance Deletion Protection for CISA-Cyber Essentials Rule
Description:
The RDS (Relational Database Service) in AWS provides managed database instances for various database engines. To ensure compliance with CISA-Cyber Essentials guidelines, it is required to enable deletion protection for RDS DB instances.
Troubleshooting Steps:
If deletion protection is not enabled for an RDS DB instance, the following steps can be taken to troubleshoot and rectify the issue:
Identify the affected RDS DB instances: Review the list of RDS instances associated with the account and identify the ones that do not have deletion protection enabled.
Verify the CISA-Cyber Essentials policy: Double-check the specific policy requirements to confirm that deletion protection is required for all RDS instances.
Modify the affected RDS DB instance: Access the AWS Management Console or use the AWS CLI/API to modify the RDS instance settings.
Enable deletion protection: Modify the RDS instance by enabling deletion protection using the appropriate AWS Management Console or CLI/API command.
Verify the changes: After modifying the RDS instance, verify that deletion protection is now enabled. Check the instance configuration to ensure the setting has been updated successfully.
Necessary Code:
The necessary CLI commands to enable deletion protection for an RDS DB instance are as follows:
aws rds modify-db-instance --db-instance-identifier <instance-identifier> --deletion-protection true
Replace
<instance-identifier>
with the identifier of the RDS instance you want to enable deletion protection for.Step-by-Step Guide for Remediation:
Identify the affected RDS DB instances: Log in to the AWS Management Console and navigate to the RDS service. Select the specific region where your instances are located.
Review the RDS instances: In the RDS dashboard, locate the list of DB instances associated with your account. Identify the instances without deletion protection.
Confirm CISA-Cyber Essentials requirement: Check the CISA-Cyber Essentials policy to verify that deletion protection is required for all RDS instances.
Enable deletion protection: Use the AWS Management Console or the AWS CLI/API to enable deletion protection for the RDS instance.
For AWS Management Console:
For AWS CLI:
Open the terminal or command prompt.
Execute the following command, replacing
<instance-identifier>
with the identifier of the RDS instance:aws rds modify-db-instance --db-instance-identifier <instance-identifier> --deletion-protection true
Verify the changes: Check the RDS instance configuration to confirm that deletion protection is now enabled. Review the instance details or use the
describe-db-instances
CLI command to ensure the setting has been updated successfully:AWS CLI:
aws rds describe-db-instances --db-instance-identifier <instance-identifier> --query 'DBInstances[0].[DBInstanceIdentifier,DeletionProtection]'
Ensure that the output displays the correct instance identifier and
true
value for deletion protection.By following these steps, you can enable deletion protection for the RDS DB instances and ensure compliance with CISA-Cyber Essentials guidelines.