RDS Instance Deletion Protection

Overview

This check verifies that deletion protection is enabled on your Amazon RDS database instances. When enabled, deletion protection prevents your database from being accidentally deleted through the AWS Console, CLI, or API.

For Aurora clusters, deletion protection is evaluated at the cluster level rather than on individual instances.

Risk

Without deletion protection, a database can be deleted in a single action. This could lead to:

• Immediate loss of availability for applications depending on the database
• Potential data loss if backups are outdated or missing
• Extended downtime while restoring from backups
• Increased exposure to insider threats, compromised credentials, or automation errors

Remediation Steps

Prerequisites

You need permission to modify RDS instances in your AWS account. Typically this means having the rds:ModifyDBInstance or rds:ModifyDBCluster permission.

Required IAM permissions

For standalone RDS instances:

{
  "Effect": "Allow",
  "Action": "rds:ModifyDBInstance",
  "Resource": "arn:aws:rds:*:*:db:*"
}

For Aurora clusters:

{
  "Effect": "Allow",
  "Action": "rds:ModifyDBCluster",
  "Resource": "arn:aws:rds:*:*:cluster:*"
}

AWS Console Method

For standalone RDS instances:

1. Open the Amazon RDS Console
2. In the left navigation, click Databases
3. Select the database instance you want to protect
4. Click the Modify button
5. Scroll down to Additional configuration
6. Check the box for Enable deletion protection
7. Click Continue
8. Under "Schedule modifications", select Apply immediately
9. Click Modify DB instance

For Aurora clusters:

1. Open the Amazon RDS Console
2. In the left navigation, click Databases
3. Select your Aurora cluster (the row showing "Regional cluster" or "Writer")
4. Click the Modify button
5. Scroll down to Additional configuration
6. Check the box for Enable deletion protection
7. Click Continue
8. Under "Schedule modifications", select Apply immediately
9. Click Modify cluster

AWS CLI (optional)

Enable deletion protection on a standalone RDS instance:

aws rds modify-db-instance \
  --db-instance-identifier <your-db-instance-id> \
  --deletion-protection \
  --apply-immediately \
  --region us-east-1

Enable deletion protection on an Aurora cluster:

aws rds modify-db-cluster \
  --db-cluster-identifier <your-cluster-id> \
  --deletion-protection \
  --apply-immediately \
  --region us-east-1

Replace <your-db-instance-id> or <your-cluster-id> with your actual database identifier.

To disable deletion protection (if you need to delete the database later):

aws rds modify-db-instance \
  --db-instance-identifier <your-db-instance-id> \
  --no-deletion-protection \
  --apply-immediately \
  --region us-east-1

CloudFormation (optional)

Set DeletionProtection: true in your RDS instance or cluster resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with deletion protection enabled

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: Unique identifier for the RDS instance
  DBInstanceClass:
    Type: String
    Default: db.t3.micro
    Description: The compute and memory capacity of the DB instance
  Engine:
    Type: String
    Default: mysql
    AllowedValues:
      - mysql
      - postgres
      - mariadb
    Description: The database engine
  MasterUsername:
    Type: String
    Description: Master username for the database
  MasterUserPassword:
    Type: String
    NoEcho: true
    Description: Master password for the database
  AllocatedStorage:
    Type: Number
    Default: 20
    Description: The size of the database (GB)

Resources:
  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBInstanceClass: !Ref DBInstanceClass
      Engine: !Ref Engine
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      AllocatedStorage: !Ref AllocatedStorage
      DeletionProtection: true
      PubliclyAccessible: false
      StorageEncrypted: true

Outputs:
  DBInstanceEndpoint:
    Description: The connection endpoint for the database
    Value: !GetAtt RDSInstance.Endpoint.Address

For Aurora clusters, use AWS::RDS::DBCluster with the same DeletionProtection: true property.

Terraform (optional)

Standalone RDS instance:

resource "aws_db_instance" "example" {
  identifier           = "my-database"
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  allocated_storage    = 20
  username             = "admin"
  password             = "change-me-in-production"
  skip_final_snapshot  = true
  publicly_accessible  = false
  storage_encrypted    = true

  # Enable deletion protection
  deletion_protection = true

  tags = {
    Name        = "my-database"
    Environment = "production"
  }
}

Aurora cluster:

resource "aws_rds_cluster" "example" {
  cluster_identifier   = "my-aurora-cluster"
  engine               = "aurora-mysql"
  engine_version       = "8.0.mysql_aurora.3.04.0"
  master_username      = "admin"
  master_password      = "change-me-in-production"
  skip_final_snapshot  = true
  storage_encrypted    = true

  # Enable deletion protection at the cluster level
  deletion_protection = true

  tags = {
    Name        = "my-aurora-cluster"
    Environment = "production"
  }
}

Verification

After enabling deletion protection, verify the change was applied:

1. In the RDS Console, select your database
2. Click the Configuration tab
3. Look for Deletion protection - it should show Enabled

Verify via AWS CLI

For standalone instances:

aws rds describe-db-instances \
  --db-instance-identifier <your-db-instance-id> \
  --query 'DBInstances[0].DeletionProtection' \
  --region us-east-1

For Aurora clusters:

aws rds describe-db-clusters \
  --db-cluster-identifier <your-cluster-id> \
  --query 'DBClusters[0].DeletionProtection' \
  --region us-east-1

Both commands should return true.

Additional Resources

• AWS Documentation: Deletion Protection for RDS
• AWS Documentation: Modifying an Amazon RDS DB Instance
• AWS Documentation: Aurora Deletion Protection
• Prowler Check Documentation

Notes

• Aurora clusters: For Aurora databases, deletion protection must be enabled at the cluster level, not on individual instances. The cluster setting protects all instances within it.

• Deleting protected databases: To delete a database with deletion protection enabled, you must first disable the protection. This is intentional - it adds a deliberate step to prevent accidental deletion.

• No downtime: Enabling or disabling deletion protection does not cause any downtime or affect database availability.

• Best practice: Combine deletion protection with:

  • Least-privilege IAM policies that restrict who can modify or delete databases
  • Automated backups with appropriate retention periods
  • Regular backup restoration testing