Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Amazon DocumentDB Deletion Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon DocumentDB (with MongoDB compatibility) database clusters have Deletion Protection feature enabled in order to protect them from being accidentally deleted.

This rule can help you work with the AWS Well-Architected Framework.

Security

With Deletion Protection safety feature enabled, you have the guarantee that your Amazon DocumentDB database clusters can't be accidentally deleted and make sure that your data remains safe. Deletion protection prevents any existing or new database clusters from being deleted by any users through the AWS Management Console, AWS CLI, or AWS API calls, unless the feature is explicitly disabled within the cluster configuration.

Audit

To determine if your Amazon DocumentDB clusters are protected against accidental deletion, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the left navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name of the database cluster that you want to examine.

05 Select the Configuration tab to access the cluster configuration panel.

06 On the Cluster details panel, under Configurations and status, check the Deletion protection configuration attribute value. If Deletion protection is set to Disabled, the Deletion Protection safety feature is not enabled for the selected Amazon DocumentDB database cluster.

07 Repeat step no. 4 – 6 to verify the Deletion Protection feature status for other database clusters available in the current AWS region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected region: 

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names: 

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to describe the Deletion Protection feature status available for the selected cluster: 

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].DeletionProtection'

04 The command output should return the requested configuration status (true for enabled, false for disabled): 

[
	false
]

If the describe-db-clusters command output returns false, as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Amazon DocumentDB database cluster.

05 Repeat step no. 3 and 4 to verify the Deletion Protection feature status for other database clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Deletion Protection feature for your existing Amazon DocumentDB (with MongoDB compatibility) database clusters, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the left navigation panel, under Amazon DocumentDB, choose Clusters.

04 Select the DocumentDB database cluster that you want to reconfigure, click on the Actions dropdown button from the console top menu and choose Modify.

05 On the Modify cluster: <cluster-identifier> page, in the Deletion protection section, select Enable deletion protection checkbox to activate Deletion Protection safety feature for the selected AWS DocumentDB database cluster.

06 Click Continue to continue the reconfiguration process.

07 Within the Summary of modifications section, carefully review the configuration changes that you want to apply to the cluster.

08 In the Scheduling of modifications section, perform one of the following actions based on your application requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the configuration changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for the selected database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application.

09 Click Modify cluster to apply the configuration changes.

10 Repeat steps no. 4 – 9 to enable deletion protection for other DocumentDB database clusters provisioned in the current region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable Deletion Protection safety feature for the selected Amazon DocumentDB database cluster (see Audit section part II to identify the right resource). The following command example makes use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application. If you add --no-apply-immediately parameter to the command request, the DocumentDB service will apply your changes during the next scheduled maintenance window: 

aws aws docdb modify-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --deletion-protection
  --apply-immediately

02 The command output should return the configuration metadata for the modified database cluster: 

{
	"DBCluster": {
		"MasterUsername": "docdbuser",
		"ReaderEndpoint": "cc-prod-docdb-cluster.cluster-us-abcdabcd.us-east-1.docdb.amazonaws.com",
		"Status": "available",
		"MultiAZ": false,
		"LatestRestorableTime": "2020-08-03T15:00:00.000Z",
		"PreferredBackupWindow": "00:00-00:30",
		"DBSubnetGroup": "default",
		"BackupRetentionPeriod": 1,
		"PreferredMaintenanceWindow": "sat:07:39-sat:08:09",


		...

		"Engine": "docdb",
		"Endpoint": "cc-prod-docdb-cluster.cluster-abcdabcd.us-east-1.docdb.amazonaws.com",
		"EarliestRestorableTime": "2020-08-03T15:00:00.000Z",
		"ClusterCreateTime": "2020-08-03T16:00:00.000Z",
		"EngineVersion": "3.6.0",
		"DeletionProtection": true,
		"DBClusterIdentifier": "cc-prod-docdb-cluster",
		"StorageEncrypted": true,
		"DBClusterParameterGroup": "default.docdb3.6",
		"Port": 27017
	}
}

03 Repeat step no. 1 and 2 to enable deletion protection for other Amazon DocumentDB database clusters deployed in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Related DocumentDB rules