AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Instance Deletion Protection Should Be Enabled
More Info:
Amazon RDS provides a Deletion Protection Flag which should be enabled to prevent accidental prevention of the database.
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration of “Instance Deletion Protection Should Be Enabled” for an AWS RDS instance using the AWS Management Console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to the RDS Console: Click on the “Services” dropdown menu at the top of the page, then select “RDS” under the Database category.
-
Select the RDS Instance: From the list of RDS instances, select the instance for which you want to enable deletion protection by clicking on its identifier.
-
Enable Deletion Protection:
-
In the RDS instance details page, click on the “Modify” button located in the top right corner.
-
Scroll down to the “Backup” section of the Modify DB Instance page.
-
Find the “Deletion protection” option and check the box next to it to enable deletion protection for the RDS instance.
-
-
Apply Changes: Scroll down to the bottom of the Modify DB Instance page and click on the “Continue” button.
-
Review and Apply Changes: Review the changes you are about to make, and if everything looks correct, click on the “Modify DB Instance” button to apply the changes.
-
Verify Deletion Protection: Once the modification is complete, go back to the list of RDS instances, select the instance you modified, and verify that deletion protection is enabled by checking the instance details.
By following these steps, you will successfully enable deletion protection for the AWS RDS instance, thereby remedying the misconfiguration of “Instance Deletion Protection Should Be Enabled”.
To enable instance deletion protection for an AWS RDS instance using AWS CLI, follow these steps:
- Open the AWS CLI and run the following command to enable deletion protection for the RDS instance:
aws rds modify-db-instance --db-instance-identifier your-db-instance-name --no-deletion-protection
Replace your-db-instance-name with the actual name of your RDS instance.
- Verify that the deletion protection has been enabled for the RDS instance by running the following command:
aws rds describe-db-instances --db-instance-identifier your-db-instance-name --query 'DBInstances[*].[DBInstanceIdentifier,DeletionProtection]'
This command will return the information about the specified RDS instance, including the status of deletion protection.
By following these steps, you can successfully enable instance deletion protection for an AWS RDS instance using AWS CLI.
To remediate the misconfiguration of Instance Deletion Protection not being enabled for an AWS RDS instance using Python, you can use the AWS SDK for Python (Boto3). Follow these steps:
-
Install Boto3: If you haven’t already installed the Boto3 library, you can do so using pip:
pip install boto3 -
Configure AWS Credentials: Make sure you have configured your AWS credentials either by setting environment variables or using the AWS CLI
aws configurecommand. -
Write Python script: Create a Python script with the following code to enable Instance Deletion Protection for an AWS RDS instance:
import boto3 # Define the AWS region and the RDS instance identifier region = 'your_aws_region' rds_instance_identifier = 'your_rds_instance_identifier' # Create a RDS client rds_client = boto3.client('rds', region_name=region) # Enable Instance Deletion Protection for the RDS instance try: response = rds_client.modify_db_instance( DBInstanceIdentifier=rds_instance_identifier, DeletionProtection=True ) print(f"Instance Deletion Protection enabled for RDS instance {rds_instance_identifier}") except Exception as e: print(f"Error enabling Instance Deletion Protection: {str(e)}") -
Replace
your_aws_regionandyour_rds_instance_identifierwith the appropriate values for your AWS environment. -
Run the Python script: Execute the Python script to enable Instance Deletion Protection for the specified AWS RDS instance.
By following these steps and running the Python script, you will be able to remediate the misconfiguration of Instance Deletion Protection not being enabled for an AWS RDS instance.