EKS Cluster Deletion Protection Enabled

Overview

This check verifies that Amazon EKS clusters have deletion protection enabled. Deletion protection prevents accidental or unauthorized removal of your Kubernetes clusters, which could cause significant service disruptions.

Risk

Without deletion protection, your EKS cluster is vulnerable to:

• Accidental deletion by team members during routine operations
• Malicious deletion if admin credentials are compromised
• Immediate service outages affecting all workloads running on the cluster
• Data loss from orphaned resources and disrupted applications
• Costly recovery efforts to rebuild infrastructure and restore services

Severity: High

Remediation Steps

Prerequisites

You need permission to modify EKS cluster settings. Specifically, you need the eks:UpdateClusterConfig IAM permission.

AWS Console Method

1. Open the Amazon EKS console
2. Click on Clusters in the left navigation
3. Select the cluster you want to protect
4. Click the Configuration tab
5. In the General configuration section, click Edit
6. Enable Deletion protection
7. Click Save changes

The update typically completes within a few minutes.

AWS CLI (optional)

Enable deletion protection on an existing cluster:

aws eks update-cluster-config \
    --name <your-cluster-name> \
    --region us-east-1 \
    --deletion-protection

Replace <your-cluster-name> with your actual EKS cluster name.

To verify the update status:

aws eks describe-update \
    --name <your-cluster-name> \
    --region us-east-1 \
    --update-id <update-id-from-previous-command>

To disable deletion protection (for legitimate cluster removal):

aws eks update-cluster-config \
    --name <your-cluster-name> \
    --region us-east-1 \
    --no-deletion-protection

Warning: Only disable deletion protection when you are certain you want to delete the cluster.

CloudFormation (optional)

CloudFormation does not currently support the DeletionProtection property directly on AWS::EKS::Cluster resources. You will need to enable deletion protection via the AWS Console or CLI after the cluster is created.

Post-deployment script approach:

You can use a CloudFormation Custom Resource or a post-deployment script to enable deletion protection:

AWSTemplateFormatVersion: '2010-09-09'
Description: EKS cluster with post-deployment deletion protection

Parameters:
  ClusterName:
    Type: String
    Default: my-eks-cluster
    Description: Name of the EKS cluster

  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: List of subnet IDs for the EKS cluster

  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: List of security group IDs for the EKS cluster

Resources:
  EKSClusterRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${ClusterName}-cluster-role'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: eks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

  EKSCluster:
    Type: AWS::EKS::Cluster
    Properties:
      Name: !Ref ClusterName
      RoleArn: !GetAtt EKSClusterRole.Arn
      ResourcesVpcConfig:
        SubnetIds: !Ref SubnetIds
        SecurityGroupIds: !Ref SecurityGroupIds
      Tags:
        - Key: Environment
          Value: production

Outputs:
  ClusterName:
    Description: EKS cluster name
    Value: !Ref EKSCluster

  ClusterArn:
    Description: EKS cluster ARN
    Value: !GetAtt EKSCluster.Arn

After deployment, run:

aws eks update-cluster-config \
    --name <your-cluster-name> \
    --region us-east-1 \
    --deletion-protection

Terraform (optional)

For new clusters, set deletion_protection = true in your aws_eks_cluster resource:

resource "aws_eks_cluster" "example" {
  name     = "my-eks-cluster"
  role_arn = aws_iam_role.eks_cluster.arn

  vpc_config {
    subnet_ids = var.subnet_ids
  }

  # Enable deletion protection
  deletion_protection = true

  tags = {
    Environment = "production"
  }
}

# IAM role for EKS cluster (required)
resource "aws_iam_role" "eks_cluster" {
  name = "eks-cluster-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "eks.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
  role       = aws_iam_role.eks_cluster.name
}

variable "subnet_ids" {
  description = "List of subnet IDs for EKS cluster"
  type        = list(string)
}

For existing clusters, add deletion_protection = true to your configuration and run:

terraform plan
terraform apply

Note: Terraform requires version 5.0+ of the AWS provider for deletion protection support.

Verification

After enabling deletion protection, verify it is active:

1. In the AWS Console, go to your EKS cluster
2. Check the Configuration tab
3. Confirm Deletion protection shows as Enabled

CLI verification

aws eks describe-cluster \
    --name <your-cluster-name> \
    --region us-east-1 \
    --query 'cluster.deletionProtection'

The output should be true.

Additional Resources

• AWS EKS Deletion Protection Documentation
• AWS EKS UpdateClusterConfig API Reference
• Amazon EKS Best Practices Guide

Notes

• Production clusters: Always enable deletion protection on production clusters to prevent accidental data loss.
• Disabling protection: You must explicitly disable deletion protection before you can delete a cluster. This is intentional and provides a safety checkpoint.
• IAM permissions: Consider restricting the eks:UpdateClusterConfig permission to prevent unauthorized users from disabling deletion protection.
• Cluster updates: Enabling or disabling deletion protection is an asynchronous operation. The cluster remains functional during the update.
• Cost: There is no additional cost for enabling deletion protection.