Skip to content

Ensure instance deletion protection is enabled

Description

Ensures that the RDS deletion protection setting is enabled for this Aurora cluster. When a database instance or cluster is configured with deletion protection, the database cannot be deleted by any user. When you request the deletion of a database instance with deletion protection in the AWS Console, you are blocked and may not continue without first modifying the instance and disabling deletion protection.

Deletion protection is enabled by default when you create a production DB cluster using the AWS Management Console. However, deletion protection is disabled by default if you create a cluster using the AWS CLI or API. Enabling or disabling deletion protection doesn't cause an outage.

Rationale

Enabling deletion protection is critical as it prevents inadvertent loss of data and unavailability.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster } = aws
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if deletion protection is enabled
 */
function validate(databaseSettings) {
    const success = isAwsRdsCluster(databaseSettings) &&
                    databaseSettings.awsDatabaseInstance.rdsCluster.deletionProtection

    return {
        success,
    }
}

// invoke
validate(databaseSettings);