RDS clusters should have deletion protection enabled
Severity: Low
Resource Types: AWS::RDS::DBCluster
Description
This control checks whether RDS clusters have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled.
Remediation
To remediate this issue, update your RDS DB cluster to enable delete protection.
To enable deletion protection for an RDS DB cluster
- Open the Amazon RDS console.
- In the navigation pane, choose
Databases
, then choose the DB cluster that you want to modify. - Choose
Modify
. - Under
Deletion protection
, chooseEnable deletion protection
. - Choose
Continue
. - Under
Scheduling of modifications
, choose when to apply modifications. The options areApply during the next scheduled maintenance window
orApply immediately
. - Choose
Modify Cluster
.