Ensure deletion protection is enabled for RDS DB instances
Rule | RDS DB instances should have deletion protection enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Critical |
Rule Description:
RDS (Relational Database Service) DB instances should have deletion protection enabled to comply with the NIST 800-53 Revision 5 security control. Deletion protection prevents accidental deletion of RDS DB instances, ensuring the preservation of critical data and avoiding potential disruptions to the database.
Troubleshooting Steps:
If deletion protection is not enabled for an RDS DB instance, follow the steps below to troubleshoot and enable this functionality:
Identify DB Instances: Identify the RDS DB instances for which deletion protection needs to be enabled. This can be done by accessing the AWS Management Console, navigating to the RDS service, and listing the available DB instances.
Verify Permissions: Ensure that you have the necessary permissions to modify the DB instance settings. The IAM user or role associated with your AWS account must have the required permissions to enable deletion protection.
Enable Deletion Protection: To enable deletion protection for an RDS DB instance, follow these steps:
Confirm Changes: Review the modifications before applying them. Ensure that the deletion protection option is set correctly for the intended DB instance.
Apply Changes: Click the "Continue" button to proceed with enabling deletion protection for the RDS DB instance.
Monitor Status: After applying the changes, monitor the status of the RDS DB instance to confirm that deletion protection is successfully enabled. You can observe the changes in the AWS Management Console or utilize automation scripts to check the status programmatically.
Remediation Steps:
Follow the steps described below to remediate the RDS DB instances that do not have deletion protection enabled:
Access the AWS Management Console and navigate to the RDS service.
Identify the RDS DB instances without deletion protection by reviewing the list of available DB instances.
Enable deletion protection for each relevant DB instance by performing the following actions:
Monitor the status of the DB instances to verify the successful enablement of deletion protection.
CLI Command for Remediation:
To remediate RDS DB instances without deletion protection using the AWS Command Line Interface (CLI), follow the steps below:
Open the AWS CLI or configure it with your AWS credentials if not already done.
Execute the following command to enable deletion protection for an RDS DB instance:
aws rds modify-db-instance --db-instance-identifier [DB_INSTANCE_IDENTIFIER] --deletion-protection true
Replace
[DB_INSTANCE_IDENTIFIER]
with the identifier of the DB instance for which you want to enable deletion protection.Monitor the command output to ensure that it executes successfully without any errors.
Repeat the above steps for each DB instance without deletion protection on your account.
Conclusion:
Enabling deletion protection for RDS DB instances adds an extra layer of security to prevent accidental deletions. By following the troubleshooting steps and executing the necessary remediation actions, you can ensure compliance with the NIST 800-53 Revision 5 security control. Regularly monitor the status of your RDS DB instances to maintain deletion protection and safeguard critical data.