DocumentDB Cluster Deletion Protection
Overview
This check verifies that your Amazon DocumentDB clusters have deletion protection enabled. Deletion protection is a safety feature that prevents a cluster from being accidentally or maliciously deleted.
Risk
Without deletion protection, your DocumentDB cluster can be deleted by anyone with sufficient permissions—whether by mistake, through faulty automation, or by a compromised account. This could result in:
- Sudden outages affecting applications that depend on the database
- Data loss if final snapshots are bypassed or unavailable
- Difficult recovery even with backups, causing extended downtime
Enabling deletion protection ensures that you must explicitly disable it before a cluster can be deleted, adding a deliberate step that prevents accidental loss.
Remediation Steps
Prerequisites
- AWS Console access with permissions to modify DocumentDB clusters, or
- AWS CLI configured with appropriate credentials
Required IAM permissions
To enable deletion protection, you need the following IAM permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:ModifyDBCluster",
"rds:DescribeDBClusters"
],
"Resource": "arn:aws:rds:*:*:cluster:*"
}
]
}
Note: DocumentDB uses the RDS API namespace for many operations.
AWS Console Method
- Open the Amazon DocumentDB console
- In the left navigation, click Clusters
- Select the cluster you want to protect
- Click Modify
- Scroll to the Deletion protection section
- Check the box for Enable deletion protection
- Scroll down and click Continue
- Choose Apply immediately if you want the change to take effect now
- Click Modify cluster
AWS CLI
Use the following command to enable deletion protection on an existing cluster:
aws docdb modify-db-cluster \
--db-cluster-identifier <your-cluster-identifier> \
--deletion-protection \
--apply-immediately \
--region us-east-1
Replace <your-cluster-identifier> with your actual cluster name.
Example:
aws docdb modify-db-cluster \
--db-cluster-identifier my-production-cluster \
--deletion-protection \
--apply-immediately \
--region us-east-1
To verify the change was applied:
aws docdb describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].DeletionProtection' \
--region us-east-1
This should return true.
CloudFormation
When creating or updating a DocumentDB cluster with CloudFormation, set DeletionProtection: true:
AWSTemplateFormatVersion: '2010-09-09'
Description: DocumentDB Cluster with deletion protection enabled
Parameters:
DBClusterIdentifier:
Type: String
Description: The identifier for the DocumentDB cluster
MasterUsername:
Type: String
Description: The master username for the cluster
MasterUserPassword:
Type: String
NoEcho: true
Description: The master password for the cluster
VPCSecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: Security group for the DocumentDB cluster
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: Subnet IDs for the DocumentDB subnet group
Resources:
DocumentDBSubnetGroup:
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Subnet group for DocumentDB cluster
SubnetIds: !Ref SubnetIds
DocumentDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
DeletionProtection: true
DBSubnetGroupName: !Ref DocumentDBSubnetGroup
VpcSecurityGroupIds:
- !Ref VPCSecurityGroupId
Outputs:
ClusterEndpoint:
Description: DocumentDB cluster endpoint
Value: !GetAtt DocumentDBCluster.Endpoint
To update an existing stack:
If you have an existing CloudFormation stack, add or update the DeletionProtection: true property in your template and run:
aws cloudformation update-stack \
--stack-name <your-stack-name> \
--template-body file://template.yaml \
--parameters ParameterKey=DBClusterIdentifier,UsePreviousValue=true \
ParameterKey=MasterUsername,UsePreviousValue=true \
ParameterKey=MasterUserPassword,UsePreviousValue=true \
ParameterKey=VPCSecurityGroupId,UsePreviousValue=true \
ParameterKey=SubnetIds,UsePreviousValue=true \
--region us-east-1
Terraform
When creating or updating a DocumentDB cluster with Terraform, set deletion_protection = true:
resource "aws_docdb_cluster" "example" {
cluster_identifier = var.cluster_identifier
master_username = var.master_username
master_password = var.master_password
deletion_protection = true
db_subnet_group_name = aws_docdb_subnet_group.example.name
vpc_security_group_ids = var.vpc_security_group_ids
skip_final_snapshot = false
final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"
tags = {
Name = var.cluster_identifier
}
}
resource "aws_docdb_subnet_group" "example" {
name = "${var.cluster_identifier}-subnet-group"
subnet_ids = var.subnet_ids
tags = {
Name = "${var.cluster_identifier}-subnet-group"
}
}
To update an existing cluster:
- Add
deletion_protection = trueto your existingaws_docdb_clusterresource - Run
terraform planto review changes - Run
terraform applyto apply the change
Verification
After enabling deletion protection, confirm it is active:
- Go to the DocumentDB console
- Click Clusters and select your cluster
- In the Configuration tab, look for Deletion protection
- Verify it shows Enabled
CLI verification
aws docdb describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].DeletionProtection' \
--region us-east-1
Expected output: true
Additional Resources
- Amazon DocumentDB Developer Guide - Deletion Protection
- AWS CLI Reference - modify-db-cluster
- Prowler Check Documentation
Notes
- Production clusters: Always enable deletion protection on production databases.
- Disabling protection: To delete a protected cluster, you must first disable deletion protection. This is intentional and provides a safety checkpoint.
- No downtime: Enabling or disabling deletion protection does not cause downtime or affect cluster performance.
- Automation: Consider using AWS Config rules or automation to enforce deletion protection across all DocumentDB clusters in your account.