AWS Config Rule: RDS Instance Deletion Protection Enabled


Fernando Honig

Last Update 4 days ago

Description: Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to false.

Warning! Some RDS DB instances within a Cluster (Aurora/DocumentDB) will show as non-compliant.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Osaka), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region

How to Resolve Manually

To resolve this manually, when creating or editing your RDS Instance, check under the additional configuration section and near the bottom you will see a section which will enable or disable deletion protection.

Now, with the vast majority of deployments, this is enabled by default. But the config rule will still exist to check if any have been disabled and therefore show as NON-COMPLIANT

How to Resolve with StackZone

You can resolve with StackZone by enabling the remediation rds-instance-deletion-protection-remediation

This will auto remediate any non-compliant instances from this config rule.

To activate this, head on over to Baseline Services -> Amazon RDS RDS and enable Instance Deletion Protection Enabled Remediation.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us