This rule ensures that RDS clusters have deletion protection enabled to prevent accidental data loss.
Rule | RDS clusters should have deletion protection enabled |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ Low |
Rule Description
RDS (Relational Database Service) clusters should have deletion protection enabled to comply with the security requirement from NIST 800-171 Revision 2. Deletion protection is a feature in Amazon RDS that prevents accidental deletion of a database cluster or its snapshots.
Troubleshooting Steps
If deletion protection is not enabled for an RDS cluster, follow the steps below to troubleshoot and enable it:
Confirm RDS Cluster Deletion Protection Status: Check if deletion protection is already enabled for the RDS cluster. You can do this by navigating to the AWS Management Console, selecting the RDS service, and choosing the cluster in question. In the cluster details page, look for the "Deletion protection" attribute.
Verify IAM Permissions: Ensure that the IAM user or role has the necessary permissions to modify the RDS cluster settings. Specifically, the user or role should have the
rds:ModifyDBCluster
permission.Enable Deletion Protection: If deletion protection is not enabled for the RDS cluster, you can enable it using the AWS Command Line Interface (CLI) or the AWS Management Console.
a. CLI Method:
Open the terminal or command prompt.
Run the following AWS CLI command to enable deletion protection for the RDS cluster, replacing
<cluster-identifier>
with the actual identifier of the cluster.aws rds modify-db-cluster --db-cluster-identifier <cluster-identifier> --deletion-protection
b. AWS Management Console Method:
Verify Deletion Protection: After enabling deletion protection, confirm that it is successfully enabled for the RDS cluster. Follow the same steps as in Step 1 to check the "Deletion protection" attribute and ensure it shows as enabled.
Code
There are no specific code snippets required for this rule. However, if you prefer automation using AWS CloudFormation, you can use the following resource block in your CloudFormation template to enable deletion protection for an RDS cluster:
Resources:
MyDBCluster:
Type: AWS::RDS::DBCluster
Properties:
...
DeletionProtection: true
...
Replace
MyDBCluster
with the appropriate name of your cluster resource in the CloudFormation template.Remediation Steps
To remediate the non-compliant RDS clusters and enable deletion protection, follow these steps:
Identify the RDS clusters that do not have deletion protection enabled by referring to the compliance report or by manually checking the cluster settings.
For each non-compliant cluster, follow the troubleshooting steps mentioned above to enable deletion protection. Choose either the CLI or AWS Management Console method, depending on your preference.
Ensure that any relevant IAM users or roles have the necessary permissions to manage the RDS clusters and modify cluster settings.
Once deletion protection is enabled, recheck the compliance status by verifying the "Deletion protection" attribute for each RDS cluster.
By following these steps, you will ensure that all RDS clusters adhere to the deletion protection requirement from NIST 800-171 Revision 2.