Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS Clusters Should Have Deletion Protection Enabled

This rule ensures that RDS clusters have deletion protection enabled to prevent accidental data loss.

RuleRDS clusters should have deletion protection enabled
FrameworkNIST 800-171 Revision 2
Severity
Low

Rule Description

RDS (Relational Database Service) clusters should have deletion protection enabled to comply with the security requirement from NIST 800-171 Revision 2. Deletion protection is a feature in Amazon RDS that prevents accidental deletion of a database cluster or its snapshots.

Troubleshooting Steps

If deletion protection is not enabled for an RDS cluster, follow the steps below to troubleshoot and enable it:

  1. 1.

    Confirm RDS Cluster Deletion Protection Status: Check if deletion protection is already enabled for the RDS cluster. You can do this by navigating to the AWS Management Console, selecting the RDS service, and choosing the cluster in question. In the cluster details page, look for the "Deletion protection" attribute.

  2. 2.

    Verify IAM Permissions: Ensure that the IAM user or role has the necessary permissions to modify the RDS cluster settings. Specifically, the user or role should have the

    rds:ModifyDBCluster
    permission.

  3. 3.

    Enable Deletion Protection: If deletion protection is not enabled for the RDS cluster, you can enable it using the AWS Command Line Interface (CLI) or the AWS Management Console.

    a. CLI Method:

    • Open the terminal or command prompt.

    • Run the following AWS CLI command to enable deletion protection for the RDS cluster, replacing

      <cluster-identifier>
      with the actual identifier of the cluster.

      aws rds modify-db-cluster --db-cluster-identifier <cluster-identifier> --deletion-protection
      

    b. AWS Management Console Method:

    • Navigate to the AWS Management Console and select the RDS service.
    • Choose the RDS cluster for which you want to enable deletion protection.
    • Click on "Modify" in the cluster details page.
    • Scroll down to the "Deletion protection" section and toggle the slider to enable it.
    • Click on "Apply immediately" and then "Modify cluster" to save the changes.
  4. 4.

    Verify Deletion Protection: After enabling deletion protection, confirm that it is successfully enabled for the RDS cluster. Follow the same steps as in Step 1 to check the "Deletion protection" attribute and ensure it shows as enabled.

Code

There are no specific code snippets required for this rule. However, if you prefer automation using AWS CloudFormation, you can use the following resource block in your CloudFormation template to enable deletion protection for an RDS cluster:

Resources:
  MyDBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      ...
      DeletionProtection: true
      ...

Replace

MyDBCluster
with the appropriate name of your cluster resource in the CloudFormation template.

Remediation Steps

To remediate the non-compliant RDS clusters and enable deletion protection, follow these steps:

  1. 1.

    Identify the RDS clusters that do not have deletion protection enabled by referring to the compliance report or by manually checking the cluster settings.

  2. 2.

    For each non-compliant cluster, follow the troubleshooting steps mentioned above to enable deletion protection. Choose either the CLI or AWS Management Console method, depending on your preference.

  3. 3.

    Ensure that any relevant IAM users or roles have the necessary permissions to manage the RDS clusters and modify cluster settings.

  4. 4.

    Once deletion protection is enabled, recheck the compliance status by verifying the "Deletion protection" attribute for each RDS cluster.

By following these steps, you will ensure that all RDS clusters adhere to the deletion protection requirement from NIST 800-171 Revision 2.

Is your System Free of Underlying Vulnerabilities?
Find Out Now