AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
DocumentDB Cluster Should Have Deletion Protection Enabled
More Info:
Checks if an Amazon DocumentDB (with MongoDB compatibility) cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon DocumentDB cluster has the deletionProtection field set to false.
Risk Level
High
Address
Configuration
Compliance Standards
NIST,CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of DocumentDB cluster not having deletion protection enabled in AWS RDS, you can follow these step-by-step instructions using the AWS Management Console:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to the Amazon DocumentDB Console: Click on the “Services” dropdown menu at the top of the page, then select “DocumentDB” under the Database category.
-
Select the DocumentDB Cluster: In the DocumentDB dashboard, locate the DocumentDB cluster that you want to enable deletion protection for, and click on its name to access its details.
-
Enable Deletion Protection: In the cluster details page, click on the “Modify” button at the top right corner.
-
Enable Deletion Protection Option: Scroll down to the “Deletion protection” section in the Modify cluster settings page.
-
Enable Deletion Protection: Check the box next to “Enable deletion protection” to turn on deletion protection for the DocumentDB cluster.
-
Save Changes: Scroll down to the bottom of the page and click on the “Modify cluster” button to save the changes.
-
Verify Deletion Protection: Once the modification is completed, go back to the DocumentDB cluster details page and ensure that the deletion protection status is now enabled.
By following these steps, you have successfully enabled deletion protection for the DocumentDB cluster in AWS RDS using the AWS Management Console.
To remediate the misconfiguration of a DocumentDB cluster not having deletion protection enabled in AWS RDS using AWS CLI, follow these steps:
-
Install and Configure AWS CLI: If you haven’t already, install the AWS CLI and configure it with the necessary credentials by running:
aws configureFollow the prompts to input your AWS Access Key ID, Secret Access Key, default region, and default output format.
-
Enable Deletion Protection for the DocumentDB Cluster: Run the following AWS CLI command to enable deletion protection for your DocumentDB cluster:
aws docdb modify-db-cluster --db-cluster-identifier YOUR_CLUSTER_IDENTIFIER --deletion-protectionReplace
YOUR_CLUSTER_IDENTIFIERwith the actual identifier of your DocumentDB cluster. -
Verify the Deletion Protection Status: To verify that deletion protection has been successfully enabled for your DocumentDB cluster, you can describe the cluster using the following command:
aws docdb describe-db-clusters --db-cluster-identifier YOUR_CLUSTER_IDENTIFIEREnsure that the
DeletionProtectionattribute in the output is set totrue.
By following these steps, you can successfully remediate the misconfiguration of a DocumentDB cluster not having deletion protection enabled in AWS RDS using AWS CLI.
To remediate the misconfiguration of not having deletion protection enabled for an Amazon DocumentDB cluster in AWS using Python, you can use the AWS SDK for Python (boto3) to update the cluster configuration. Here are the step-by-step instructions:
- Install the AWS SDK for Python (boto3) if you haven’t already:
pip install boto3
- Create a Python script with the following code to enable deletion protection for the DocumentDB cluster:
import boto3
# Initialize the DocumentDB client
client = boto3.client('docdb')
# Specify the DocumentDB cluster identifier
cluster_identifier = 'your-cluster-identifier'
# Enable deletion protection for the DocumentDB cluster
response = client.modify_db_cluster(
DBClusterIdentifier=cluster_identifier,
DeletionProtection=True
)
# Print the response
print(response)
-
Replace
'your-cluster-identifier'with the actual identifier of your DocumentDB cluster. -
Run the Python script. This will enable deletion protection for the specified DocumentDB cluster.
After following these steps, deletion protection will be enabled for your Amazon DocumentDB cluster, preventing accidental deletion of the cluster.