Skip to main content

🛡️ AWS RDS Cluster Deletion Protection is not enabled🟢

Logic

Similar Policies

Description

Open File

Description

This policy identifies AWS RDS Clusters that are not configured with Deletion Protection.

When Deletion Protection is enabled, an RDS cluster cannot be deleted through the AWS Management Console, AWS CLI, or API calls. To delete the cluster, Deletion Protection must first be explicitly disabled by modifying the cluster configuration.

Rationale

Accidental deletion of a database cluster poses a significant risk to data availability and business continuity. Administrators or automated processes may inadvertently target the wrong cluster, resulting in irreversible data loss.

Deletion Protection introduces a mandatory safeguard that requires deliberate action before a destructive operation can be performed. This additional control reduces the likelihood of human error and prevents unintended deletions initiated by automation.

When infrastructure-as-code tools such as Terraform or AWS CloudFormation are used, misconfigurations or unexpected changes can trigger resource replacement or deletion. Enabling Deletion Protection prevents the AWS API from executing such destructive commands without prior, intentional configuration changes.

... see more

Remediation

Open File

Remediation

Enable Deletion Protection

Deletion Protection prevents an Amazon RDS cluster from being accidentally deleted through the AWS Management Console, AWS CLI, or API. Enabling this setting adds an explicit safeguard against unintended destructive actions.

From Command Line

Run the following command to enable Deletion Protection for the specified RDS cluster:

aws rds modify-db-cluster \
    --db-cluster-identifier {{cluster-id}} \
    --deletion-protection \
    --apply-immediately

Note: Enabling Deletion Protection does not impact cluster availability. To delete the cluster in the future, this setting must first be manually disabled.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.7] RDS clusters should have deletion protection enabled1no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery23no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)3147no data
💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)22no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)441no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)45no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)347no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)22no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)224no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events178no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events179no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked49no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks54no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration746no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency22no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control81741no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy24no data