RDS Cluster Deletion Protection
Overview
This check verifies that Amazon RDS DB clusters have deletion protection enabled. When enabled, this feature prevents accidental or unauthorized deletion of your database clusters.
Risk
Without deletion protection, your RDS clusters are vulnerable to:
- Accidental deletion by team members, causing sudden availability loss
- Malicious deletion if credentials are compromised
- Automation errors that could trigger unintended deletions
- Data loss if backups are outdated or unavailable
Enabling deletion protection adds a safety layer that requires explicit action to disable before a cluster can be deleted.
Remediation Steps
Prerequisites
- AWS Console access with permissions to modify RDS clusters
- The cluster identifier for the RDS cluster you want to protect
AWS Console Method
- Open the Amazon RDS console
- In the navigation pane, click Databases
- Select the DB cluster you want to modify
- Click the Modify button
- Scroll down to the Deletion protection section
- Check the box for Enable deletion protection
- Scroll to the bottom and click Continue
- Select Apply immediately (or schedule for the next maintenance window)
- Click Modify cluster
AWS CLI
Run the following command, replacing <your-cluster-identifier> with your actual cluster identifier:
aws rds modify-db-cluster \
--db-cluster-identifier <your-cluster-identifier> \
--deletion-protection \
--region us-east-1
Note: Deletion protection changes are applied immediately regardless of the --apply-immediately flag.
To verify the change was applied:
aws rds describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--region us-east-1 \
--query 'DBClusters[0].DeletionProtection'
This should return true.
CloudFormation
Add or update the DeletionProtection property in your RDS cluster resource:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Aurora cluster with deletion protection enabled
Parameters:
DBClusterIdentifier:
Type: String
Description: The identifier for the DB cluster
Resources:
RDSCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
Engine: aurora-mysql
EngineVersion: "8.0.mysql_aurora.3.04.0"
MasterUsername: admin
MasterUserPassword: "{{resolve:secretsmanager:MySecret:SecretString:password}}"
DeletionProtection: true
Outputs:
ClusterEndpoint:
Description: The endpoint for the RDS cluster
Value: !GetAtt RDSCluster.Endpoint.Address
Key property:
DeletionProtection: true- Enables deletion protection
Terraform
Add or update the deletion_protection argument in your RDS cluster resource:
resource "aws_rds_cluster" "example" {
cluster_identifier = "example-cluster"
engine = "aurora-mysql"
engine_version = "8.0.mysql_aurora.3.04.0"
database_name = "mydb"
master_username = "admin"
master_password = "changeme123!"
# Enable deletion protection
deletion_protection = true
skip_final_snapshot = true
}
Key argument:
deletion_protection = true- Enables deletion protection
After updating your Terraform configuration, run:
terraform plan
terraform apply
Verification
After making changes, confirm deletion protection is enabled:
- In the RDS console, select your cluster
- On the Configuration tab, look for Deletion protection
- It should show Enabled
CLI Verification
aws rds describe-db-clusters \
--db-cluster-identifier <your-cluster-identifier> \
--region us-east-1 \
--query 'DBClusters[0].{ClusterID:DBClusterIdentifier,DeletionProtection:DeletionProtection}'
Expected output:
{
"ClusterID": "your-cluster-identifier",
"DeletionProtection": true
}
Additional Resources
- AWS Documentation: Deleting a DB cluster
- AWS Documentation: Modifying an Amazon Aurora DB cluster
- AWS Security Hub: RDS.7 - RDS clusters should have deletion protection enabled
Notes
- Production clusters: Always enable deletion protection on production and critical database clusters.
- Deleting protected clusters: To delete a cluster with deletion protection enabled, you must first disable the protection, then delete the cluster.
- No downtime: Enabling or disabling deletion protection does not cause any downtime or restart of the cluster.
- Least privilege: Consider restricting the
rds:ModifyDBClusterpermission to limit who can disable deletion protection. - Multi-AZ clusters: This check applies to both Aurora DB clusters and RDS Multi-AZ DB clusters.