More Info:

Amazon Aurora databases should be protected from accidental deletion. This is done by having Deletion Protection feature enabled at the database cluster level.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

HIPAA

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of “Cluster Deletion Protection Should Be Enabled” for an AWS RDS cluster using the AWS Management Console, follow these step-by-step instructions:
  1. Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
  2. Navigate to the RDS Service: Click on the “Services” dropdown menu at the top of the console, and then select “RDS” under the Database category.
  3. Select the RDS Cluster: From the list of RDS clusters, select the cluster for which you want to enable deletion protection by clicking on its name.
  4. Enable Deletion Protection: In the cluster details page, click on the “Modify” button located at the top of the page.
  5. Enable Deletion Protection Option: Scroll down to the “Backup” section of the Modify Cluster page, and locate the “Deletion protection” option.
  6. Check the Box: Check the box next to “Enable deletion protection” to enable this feature for the RDS cluster.
  7. Save Changes: Scroll to the bottom of the page and click on the “Continue” button.
  8. Apply Changes: Review the changes you have made, and then click on the “Modify cluster” button to apply the changes.
  9. Verify Deletion Protection: Once the modification is complete, go back to the cluster details page, and confirm that the “Deletion protection” status is now enabled for the RDS cluster.
By following these steps, you have successfully enabled deletion protection for the AWS RDS cluster, ensuring that accidental deletion of the cluster is prevented.

To remediate the misconfiguration “Cluster Deletion Protection Should Be Enabled” for an AWS RDS cluster using AWS CLI, follow these steps:
  1. Open the AWS CLI and run the following command to enable deletion protection for the RDS cluster: 
    aws rds modify-db-cluster --db-cluster-identifier your-cluster-name --deletion-protection
    Replace your-cluster-name with the actual identifier of your RDS cluster.
  2. After running the command, AWS will return the configuration details of the modified RDS cluster. Verify that the DeletionProtection parameter is set to true to confirm that deletion protection has been enabled successfully.
  3. You can also verify the deletion protection status of the RDS cluster by running the following command: 
    aws rds describe-db-clusters --db-cluster-identifier your-cluster-name
    Replace your-cluster-name with the actual identifier of your RDS cluster.
  4. Check the output of the command to ensure that the DeletionProtection parameter is set to true.
By following these steps, you can remediate the misconfiguration “Cluster Deletion Protection Should Be Enabled” for an AWS RDS cluster using AWS CLI.
To remediate the misconfiguration of Cluster Deletion Protection not being enabled for an AWS RDS cluster using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Initialize the RDS client:
rds_client = boto3.client('rds')
  1. Identify the RDS cluster for which you want to enable deletion protection. You can specify the cluster identifier or use describe_db_clusters to list all clusters and choose the one you want to update.
  2. Enable deletion protection for the identified RDS cluster: 
response = rds_client.modify_db_cluster(
    DBClusterIdentifier='your-cluster-identifier',
    DeletionProtection=True
)
  1. Verify the modification was successful:
response = rds_client.describe_db_clusters(
    DBClusterIdentifier='your-cluster-identifier'
)

if response['DBClusters'][0]['DeletionProtection']:
    print('Deletion protection has been successfully enabled for the RDS cluster.')
else:
    print('Failed to enable deletion protection for the RDS cluster.')
By following these steps, you can remediate the misconfiguration of Cluster Deletion Protection not being enabled for an AWS RDS cluster using Python.

Additional Reading: