v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 8 RDS DB instances should have deletion protection enabled

Description

This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled.

Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.

While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.

Remediation

To remediate this issue, update your RDS DB instance to enable deletion protection.

To enable deletion protection for an RDS DB instance

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Databases, then choose the DB instance that you want to modify.
  3. Choose Modify.
  4. Under Deletion protection, choose Enable deletion protection.
  5. Choose Continue.
  6. Under Scheduling of modifications, choose when to apply modifications. The options are Apply during the next scheduled maintenance window or Apply immediately.
  7. Choose Modify DB Instance.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_8 --share

SQL

This control uses a named query:

rds_db_instance_deletion_protection_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = data_deletion_protection
foundational_security_item_id = rds_8
plugin = aws
service = AWS/RDS