🛡️ AWS RDS Instance Deletion Protection is not enabled🟢

• Contextual name: 🛡️ Instance Deletion Protection is not enabled🟢
• ID: /ce/ca/aws/rds/instance-deletion-protection
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Instance
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.8] RDS DB instances should have deletion protection enabled
• Cloud Conformity: Instance Deletion Protection

Description

Open File

Description

This policy identifies AWS RDS Instances that do not have deletion protection enabled. Deletion protection helps safeguard database instances from accidental or unintended deletion.

Rationale

Accidental deletion of a database instance can result in permanent data loss and prolonged service downtime. Although Amazon RDS supports automated backups and snapshots, restoring a database from backups can be time-consuming and may negatively impact recovery time objectives (RTO).

Enabling deletion protection adds an additional layer of operational safety. When deletion protection is enabled, any attempt to delete the database instance is blocked. An administrator must first explicitly disable deletion protection before proceeding with the deletion. This two-step, intentional process helps prevent accidental deletions caused by human error or misconfigured automation.

Audit

This policy flags an AWS RDS Instance as INCOMPLIANT if Deletion Protection is not set to true.

RDS Instances are marked as INAPPLICABLE if they meet any of the following conditions:

... see more

Remediation

Open File

Remediation

Enable Deletion Protection

To prevent accidental deletion of Amazon RDS instances, enable the Deletion Protection feature on existing database instances.

From Command Line

Run the following command to enable deletion protection for the specified RDS instance:

aws rds modify-db-instance \
    --region {{region}} \
    --db-instance-identifier {{instance-id}} \
    --deletion-protection \
    --apply-immediately

Considerations

• The --apply-immediately parameter applies the change as soon as possible and also applies any pending modifications.
• Enabling deletion protection itself does not require downtime; however, applying other pending modifications may result in a brief service interruption.
• If the --apply-immediately parameter is omitted, the change is applied during the next scheduled maintenance window.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.8] RDS DB instances should have deletion protection enabled			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			23		no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		41		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		24		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			178		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			179		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	41		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			19		no data