AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Cluster Deletion Protection Should Be Enabled
More Info:
Amazon Aurora databases should be protected from accidental deletion. This is done by having Deletion Protection feature enabled at the database cluster level.
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
HIPAA
Triage and Remediation
Remediation
To remediate the misconfiguration of “Cluster Deletion Protection Should Be Enabled” for an AWS RDS cluster using the AWS Management Console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to the RDS Service: Click on the “Services” dropdown menu at the top of the console, and then select “RDS” under the Database category.
-
Select the RDS Cluster: From the list of RDS clusters, select the cluster for which you want to enable deletion protection by clicking on its name.
-
Enable Deletion Protection: In the cluster details page, click on the “Modify” button located at the top of the page.
-
Enable Deletion Protection Option: Scroll down to the “Backup” section of the Modify Cluster page, and locate the “Deletion protection” option.
-
Check the Box: Check the box next to “Enable deletion protection” to enable this feature for the RDS cluster.
-
Save Changes: Scroll to the bottom of the page and click on the “Continue” button.
-
Apply Changes: Review the changes you have made, and then click on the “Modify cluster” button to apply the changes.
-
Verify Deletion Protection: Once the modification is complete, go back to the cluster details page, and confirm that the “Deletion protection” status is now enabled for the RDS cluster.
By following these steps, you have successfully enabled deletion protection for the AWS RDS cluster, ensuring that accidental deletion of the cluster is prevented.
To remediate the misconfiguration “Cluster Deletion Protection Should Be Enabled” for an AWS RDS cluster using AWS CLI, follow these steps:
-
Open the AWS CLI and run the following command to enable deletion protection for the RDS cluster:
aws rds modify-db-cluster --db-cluster-identifier your-cluster-name --deletion-protectionReplace
your-cluster-namewith the actual identifier of your RDS cluster. -
After running the command, AWS will return the configuration details of the modified RDS cluster. Verify that the
DeletionProtectionparameter is set totrueto confirm that deletion protection has been enabled successfully. -
You can also verify the deletion protection status of the RDS cluster by running the following command:
aws rds describe-db-clusters --db-cluster-identifier your-cluster-nameReplace
your-cluster-namewith the actual identifier of your RDS cluster. -
Check the output of the command to ensure that the
DeletionProtectionparameter is set totrue.
By following these steps, you can remediate the misconfiguration “Cluster Deletion Protection Should Be Enabled” for an AWS RDS cluster using AWS CLI.
To remediate the misconfiguration of Cluster Deletion Protection not being enabled for an AWS RDS cluster using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Initialize the RDS client:
rds_client = boto3.client('rds')
-
Identify the RDS cluster for which you want to enable deletion protection. You can specify the cluster identifier or use describe_db_clusters to list all clusters and choose the one you want to update.
-
Enable deletion protection for the identified RDS cluster:
response = rds_client.modify_db_cluster(
DBClusterIdentifier='your-cluster-identifier',
DeletionProtection=True
)
- Verify the modification was successful:
response = rds_client.describe_db_clusters(
DBClusterIdentifier='your-cluster-identifier'
)
if response['DBClusters'][0]['DeletionProtection']:
print('Deletion protection has been successfully enabled for the RDS cluster.')
else:
print('Failed to enable deletion protection for the RDS cluster.')
By following these steps, you can remediate the misconfiguration of Cluster Deletion Protection not being enabled for an AWS RDS cluster using Python.