v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5 Amazon DocumentDB clusters should have deletion protection enabled

Description

This control checks whether an Amazon DocumentDB cluster has deletion protection enabled. The control fails if the cluster doesn't have deletion protection enabled.

Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. An Amazon DocumentDB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed. Deletion protection is enabled by default when you create a cluster in the Amazon DocumentDB console.

Remediation

To enable deletion protection for an existing Amazon DocumentDB cluster, see Modifying an Amazon DocumentDB cluster in the Amazon DocumentDB Developer Guide. In the Modify Cluster section, choose Enable for Deletion protection.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_docdb_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_docdb_5 --share

SQL

This control uses a named query:

docdb_cluster_deletion_protection_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = data_deletion_protection
foundational_security_item_id = docdb_5
plugin = aws
service = AWS/DocumentDB