Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Cluster Deletion Protection

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-035

Ensure that all your provisioned Amazon Aurora database clusters are protected from accidental deletion by having the Deletion Protection feature enabled at the Aurora cluster level.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Deletion protection prevents any existing or new provisioned Aurora database clusters from being terminated by a root or an IAM user, using the AWS Management Console, AWS CLI, or AWS API, unless the feature is explicitly disabled. With Deletion Protection safety feature enabled, you have the certainty that your Amazon Aurora database clusters can't be accidentally deleted and make sure that your data remains safe.


Audit

To determine if your Aurora database clusters are protected against accidental deletion, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the Aurora database cluster that you want to examine. To identify Aurora database clusters, check the database engine type available in the Engine column (i.e. Aurora MySQL or Aurora PostgreSQL).

05 Select the Configuration tab and check the Deletion protection attribute value. If the Deletion protection value is set to Disabled, the Deletion Protection safety feature is not enabled for the selected Amazon Aurora database cluster.

06 Repeat steps no. 4 and 5 for each Amazon Aurora database cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all the Aurora database clusters available in the selected AWS region:

aws rds describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'

02 The command output should return a table with the requested Aurora clusters:

--------------------------------
|      DescribeDBClusters      |
+------------------------------+
|  cc-aurora-mysql-cluster     |
|  cc-aurora-postgres-cluster  |
+------------------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the Aurora database cluster that you want to examine as the identifier parameter and custom query filters to describe the Deletion Protection feature status for the selected cluster:

aws rds describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-aurora-mysql-cluster
  --query 'DBClusters[*].DeletionProtection'

04 The command output should return the feature status (true for enabled, false for disabled):

[
    false
]

If the describe-db-clusters command output returns false, as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Amazon Aurora database cluster.

05 Repeat steps no. 3 and 4 for each Amazon Aurora database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Deletion Protection feature for your existing Amazon Aurora database clusters, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Deletion Protection For Aurora Cluster",
	"Parameters": {
		"Username": {
			"Type": "String"
		},
		"Password": {
			"Type": "String",
			"NoEcho" : "true"
		},
	},
	"Resources": {
		"RDSCluster": {
			"Type": "AWS::RDS::DBCluster",
			"Properties": {
				"DBClusterIdentifier": "cc-new-aurora-mysql-cluster",
				"DatabaseName" : "auroradb",
				"MasterUsername": {
					"Ref": "Username"
				},
				"MasterUserPassword": {
					"Ref": "Password"
				},
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"DeletionProtection": true
			}
		},
		"ClusterDBInstance1": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"DBClusterIdentifier": {
					"Ref": "RDSCluster"
				},
				"PubliclyAccessible": "true",
				"DBInstanceClass": "db.t2.small"
			}
		},
		"ClusterDBInstance2": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"DBClusterIdentifier": {
					"Ref": "RDSCluster"
				},
				"PubliclyAccessible": "true",
				"DBInstanceClass": "db.t2.small"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Deletion Protection For Aurora Cluster
	Parameters:
		Username:
		Type: String
		Password:
		Type: String
		NoEcho: 'true'
	Resources:
		RDSCluster:
		Type: AWS::RDS::DBCluster
		Properties:
			DBClusterIdentifier: cc-new-aurora-mysql-cluster
			DatabaseName: auroradb
			MasterUsername: !Ref 'Username'
			MasterUserPassword: !Ref 'Password'
			Engine: aurora
			DBSubnetGroupName: default
			DeletionProtection: true
		ClusterDBInstance1:
		Type: AWS::RDS::DBInstance
		Properties:
			Engine: aurora
			DBSubnetGroupName: default
			DBClusterIdentifier: !Ref 'RDSCluster'
			PubliclyAccessible: 'true'
			DBInstanceClass: db.t2.small
		ClusterDBInstance2:
		Type: AWS::RDS::DBInstance
		Properties:
			Engine: aurora
			DBSubnetGroupName: default
			DBClusterIdentifier: !Ref 'RDSCluster'
			PubliclyAccessible: 'true'
			DBInstanceClass: db.t2.small

Using Terraform

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_rds_cluster_instance" "rds-cluster-instances" {
	count              = 2
	identifier         = "cc-aurora-mysql-cluster-${count.index}"
	cluster_identifier = aws_rds_cluster.rds-cluster.id
	instance_class     = "db.t2.small"
	engine             = aws_rds_cluster.rds-cluster.engine
	engine_version     = aws_rds_cluster.rds-cluster.engine_version
}

resource "aws_rds_cluster" "rds-cluster" {
	cluster_identifier      = "cc-aurora-mysql-cluster"
	engine                  = "aurora-mysql"
	engine_version          = "5.7.mysql_aurora.2.10.2"
	availability_zones      = ["us-east-1a", "us-east-1b"]
	database_name           = "auroradb"
	master_username         = "aurorausr"
	master_password         = "aurorapasswd"

	# Enable Deletion Protection For Aurora Cluster
	deletion_protection = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Select the Amazon Aurora database cluster that you want to reconfigure and choose Modify.

05 On the Modify DB cluster: <cluster-name> configuration page, perform the following operations:

  1. In the Additional configuration section, under Deletion protection, select the Enable deletion protection checkbox to activate the Deletion Protection safety feature for the selected Amazon Aurora cluster.
  2. Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.
  3. In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:
    • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
    • Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected Aurora database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application.
  4. Choose Modify cluster to apply the configuration changes.

06 Repeat steps no. 4 and 5 for each Aurora database cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable the Deletion Protection feature for the selected Amazon Aurora database cluster by adding the --deletion-protection parameter to the command request. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora database application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:

aws rds modify-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-aurora-mysql-cluster
  --deletion-protection
  --apply-immediately

02 The command output should return the configuration metadata for the modified Aurora cluster:

{
	"DBCluster": {
		"MasterUsername": "ccadmin",
		"ReaderEndpoint": "cc-aurora-mysql-cluster.cluster-ro-abcdabcdabcd.us-east-1.rds.amazonaws.com",
		"HttpEndpointEnabled": false,
		"ReadReplicaIdentifiers": [],
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			},
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-abcd1234"
			}
		],
		"CopyTagsToSnapshot": false,
		"HostedZoneId": "ABCDABCDABCDAB",
		"EngineMode": "provisioned",
		"Status": "available",
		"MultiAZ": false,
		"LatestRestorableTime": "2021-05-12T09:00:00.162Z",
		"DomainMemberships": [],
		"PreferredBackupWindow": "04:06-04:36",
		"DBSubnetGroup": "default-vpc-abcdabcd",
		"AllocatedStorage": 30,
		"BackupRetentionPeriod": 7,
		"PreferredMaintenanceWindow": "tue:05:48-tue:06:18",
		"Engine": "aurora-mysql",
		"Endpoint": "cc-aurora-mysql-cluster.cluster-abcdabcdabcd.us-east-1.rds.amazonaws.com",
		"AssociatedRoles": [],
		"EarliestRestorableTime": "2021-05-12T09:03:00.657Z",
		"CrossAccountClone": false,
		"IAMDatabaseAuthenticationEnabled": false,
		"ClusterCreateTime": "2021-05-12T09:00:00.853Z",
		"EngineVersion": "5.7.mysql_aurora.2.07.2",
		"DeletionProtection": true,
		"DBClusterIdentifier": "cc-aurora-mysql-cluster",
		"DbClusterResourceId": "cluster-ABCDABCDABCDABCDABCDABCDAB",
		"DBClusterMembers": [
			{
				"IsClusterWriter": true,
				"DBClusterParameterGroupStatus": "in-sync",
				"PromotionTier": 1,
				"DBInstanceIdentifier": "cc-aurora-mysql-cluster-instance-1"
			}
		],
		"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-mysql-cluster",
		"StorageEncrypted": false,
		"DatabaseName": "",
		"DBClusterParameterGroup": "default.aurora-mysql5.7",
		"AvailabilityZones": [
			"us-east-1c",
			"us-east-1d",
			"us-east-1a"
		],
		"Port": 3306
	}
}

03 Repeat steps no. 1 and 2 for each Aurora database cluster available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 18, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Cluster Deletion Protection

Risk Level: Medium