Ensure delete protection is enabled for Amazon Relational Database Service (Amazon RDS) Instances

MEDIUM

Description

Delete protection can provide assurance that a database cannot be deleted until the instance running that database is first altered to disable the setting. This is enabled by default when choosing the 'production' option during new database instance setup. For more information, see the AWS documentation.
References:
https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/

Remediation

In AWS Console -

Sign in to the AWS Console and go to the AWS RDS Console.
In the RDS Dashboard, click on Databases.
Select Modify to modify the instance of your choice.
Modify deletion protection and click the 'Enable Deletion Protection' checkbox.

In Terraform -

In the aws_db_instance resource, set deletion_protection field to true.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#deletion_protection

Policy Details

Rule Reference ID: AC_AWS_0063

CSP: AWS

Remediation Available: Yes

Domain: Resilience

Resource: aws_db_instance

Resource Category: Database

Resource Type: DB Instance

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA

Detections

Analytics