Ensure Rule Compliance: RDS DB Instance Deletion Protection
This rule states that RDS DB instances must have deletion protection enabled to prevent accidental data loss.
| Rule | RDS DB instances should have deletion protection enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
RDS (Relational Database Service) DB instances should have deletion protection enabled to comply with the security requirement outlined in the NIST (National Institute of Standards and Technology) 800-53 Revision 5 framework. Deletion protection ensures that accidental or malicious deletions of DB instances are prevented, providing an additional layer of security to safeguard the data stored within the instances.
Enabling deletion protection restricts the ability to delete or modify the DB instance including automated backups, manual snapshots, and Read Replicas. This rule helps to prevent the potential loss of critical data due to accidental deletions or unauthorized actions.
Troubleshooting Steps
If deletion protection is not enabled for an RDS DB instance, follow the troubleshooting steps below:
- 1.Identify the DB instance for which deletion protection is not enabled.
- 2.Verify the current state of deletion protection for the DB instance.
- 3.Enable deletion protection for the DB instance if it is not already enabled.
- 4.Validate that the deletion protection is properly enabled.
Necessary Codes
- 1.To check if deletion protection is enabled for an RDS DB instance:
aws rds describe-db-instances --db-instance-identifier <db_instance_id> --query "DBInstances[].DeletionProtection"
- 1.To enable deletion protection for an RDS DB instance:
aws rds modify-db-instance --db-instance-identifier <db_instance_id> --deletion-protection true
Step-by-Step Guide for Remediation
Follow the steps below to enable deletion protection for an RDS DB instance:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the RDS service.
- 3.Select the appropriate region.
- 4.Click on "DB instances" from the left-hand side menu.
- 5.Identify the DB instance for which deletion protection needs to be enabled.
- 6.Check the current state of deletion protection for the DB instance:
- If deletion protection is already enabled, proceed to step 9.
- If deletion protection is not enabled, continue to step 7.
- 7.Open the AWS CLI or AWS CloudShell.
- 8.Run the following command to enable deletion protection for the DB instance:
Replaceaws rds modify-db-instance --db-instance-identifier <db_instance_id> --deletion-protection true
with the actual identifier of the DB instance.<db_instance_id> - 9.Verify that deletion protection is properly enabled:
- Run the following command to check the deletion protection status:
Replaceaws rds describe-db-instances --db-instance-identifier <db_instance_id> --query "DBInstances[].DeletionProtection"
with the actual identifier of the DB instance.<db_instance_id> - The command should return "true" indicating that deletion protection is enabled.
- 10.Repeat the above steps for any other RDS DB instances that require deletion protection to be enabled.
By following these steps, you can ensure that deletion protection is enabled for RDS DB instances, meeting the NIST 800-53 Revision 5 compliance requirement.