Amazon RDS

RDS Deletion Protection Disabled

This plugin ensures deletion protection is enabled for RDS database instances.

Risk Level: High

Description

This plugin ensures deletion protection is enabled for RDS database instances. Since the RDS database can have critical data for the application, it is necessary to enable Deletion protection to prevent it from being deleted accidentally by any user.

About the Service

Amazon RDS: Amazon RDS is a scalable relational database service for the cloud. It provides a fast, secure and highly scalable database server. As explained by the AWS docs, Amazon RDS is a managed relational database service that provides you six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.

Impact

Since the RDS database can have critical data for the application, it is necessary to enable Deletion protection to prevent it from being deleted accidentally by any user. Enabling Deletion protection will not allow the database to be deleted. 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon RDS Console. You can use this link (https://console.aws.amazon.com/rds/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Databases from the left panel.
  4. A list of databases will be displayed. Select the database you want to examine by clicking on it’s DB Identifier.
  5. Move to the Configurations tab.
  6. In the Configuration section, scroll down to find the Deletion Protection. If it is disabled, the vulnerability exists.
  7. Repeat steps 3 to 6 for all the database instances you wish to examine.

 

Steps for Remediation

  1. Log In to your AWS Console.
  2. Open the Amazon RDS Console. You can use this link (https://console.aws.amazon.com/rds/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Databases from the left panel.
  4. A list of databases will be displayed. Select the vulnerable database by clicking on it’s DB Identifier.
  5. Click on Modify from the top-right corner.
  6. Scroll down to the end of the page and enable the Deletion Protection policy by checking the checkbox. Click on Continue after doing the changes.
  7. Repeat steps 3 to 6 for all the vulnerable database instances.