Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instances Should Have Deletion Protection Enabled

This rule states that RDS DB instances must have deletion protection enabled to enhance data security.

RuleRDS DB instances should have deletion protection enabled
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Critical

Rule Description:

RDS DB instances should have deletion protection enabled to comply with the security requirements set forth by the Federal Financial Institutions Examination Council (FFIEC). Deletion protection ensures that accidental or unauthorized deletion of critical database instances is prevented, reducing the risk of data loss or unauthorized access.

Troubleshooting Steps:

If deletion protection is not already enabled for your RDS DB instances, follow the steps below to enable it:

  1. 1.

    Identify the RDS DB Instances: Determine the RDS DB instances that need deletion protection and ensure that they are in active status.

  2. 2.

    Enable Deletion Protection: Access the AWS Management Console or use AWS CLI or SDKs to enable deletion protection.

  • AWS Management Console:

    • Sign in to the AWS Management Console.
    • Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
    • In the navigation pane, choose "DB Instances".
    • Select the desired RDS DB instance.
    • In the "Actions" drop-down menu, choose "Modify".
    • Scroll down to the "Deletion protection" section and check the box next to "Enable deletion protection".
    • Click on "Continue" and review the modifications.
    • Click on "Modify DB Instance" to save the changes.
  • AWS CLI:

    • Open the AWS CLI or command prompt.

    • Execute the following command to enable deletion protection for the RDS DB instance:

      aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --deletion-protection true
      

      Replace

      <db-instance-identifier>
      with the identifier of the RDS DB instance.

  1. 1.
    Verify Deletion Protection: After enabling deletion protection, ensure that it is successfully applied to the RDS DB instances.
  • AWS Management Console:

    • Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
    • In the navigation pane, choose "DB Instances".
    • Select the desired RDS DB instance.
    • Check the "Deletion protection" column to confirm that it shows "Enabled".
  • AWS CLI:

    • Execute the following AWS CLI command to describe the RDS DB instance and verify deletion protection:

      aws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --query 'DBInstances[0].DeletionProtection'
      

      Replace

      <db-instance-identifier>
      with the identifier of the RDS DB instance.

Additional Notes:

  • Enabling deletion protection ensures that critical RDS DB instances are not accidentally or maliciously deleted, ensuring the continuity of operations and data integrity.
  • It's important to periodically review and validate the deletion protection status for all relevant RDS DB instances to maintain compliance with the FFIEC requirements.
  • Make sure to follow the principle of least privilege by granting deletion protection enablement access only to authorized individuals or roles.
  • Consider creating an automated process or script to enable deletion protection for all new RDS DB instances to ensure consistency and ease of management.

Is your System Free of Underlying Vulnerabilities?
Find Out Now