DocumentDB.5: DocumentDB clusters should have deletion protection

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub DocumentDB.5 check?

DocumentDB.5 checks whether each DocumentDB cluster has the `DeletionProtection` flag enabled. It's a change-triggered Config rule on `AWS::RDS::DBCluster` that reports FAILED for any cluster where the flag is off, lighting up the moment a cluster is created or modified without it.

Why does DocumentDB.5 matter?

With protection off, a single `delete-db-cluster` call, an errant Terraform `destroy`, or a misconfigured automation can take the whole cluster and its data to zero in seconds. Accidental deletion is one of the highest-blast-radius mistakes in the cloud and one of the cheapest to prevent — the flag is free, instant, and reversible, while the cost of not having it is potentially your entire dataset.

How do I fix DocumentDB.5?

Audit every cluster's protection state.
Enable deletion protection on each unprotected cluster — no maintenance window needed.
Bake the flag into provisioning templates so new clusters arrive protected.
Document the safe path for intentional deletes (disable the flag, then delete).

Remediation script · bash

# Enable deletion protection on every unprotected standalone RDS instance in a region.
for id in $(aws rds describe-db-instances \
  --query 'DBInstances[?DeletionProtection==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --deletion-protection --apply-immediately
  echo "Protected RDS instance: $id"
done

# Termination-protect every production-tagged CloudFormation stack (eyeball the list first).
aws cloudformation describe-stacks \
  --query "Stacks[?Tags[?Key=='Environment' && Value=='production']].StackName" \
  --output text | tr '\t' '\n' | while read -r stack; do
  aws cloudformation update-termination-protection \
    --stack-name "$stack" --enable-termination-protection
  echo "Protected stack: $stack"
done

# Deletion-protect a production load balancer.
aws elbv2 modify-load-balancer-attributes --load-balancer-arn "$LB_ARN" \
  --attributes Key=deletion_protection.enabled,Value=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable deletion and termination protection.

Is DocumentDB.5 a false positive?

Deletion protection is on by default for clusters created in the console, so teams assume it's always set — but clusters created via CLI, SDK, or IaC frequently miss it, which is where the finding shows up.

Full lesson Enable deletion and termination protection Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for DocumentDB controls ↗ Check your own account for DocumentDB.5 →

Part of the learning path Lock down access

DocumentDB.1 DocumentDB clusters should encrypt at rest
DocumentDB.2 DocumentDB adequate backup retention
DocumentDB.3 A DocumentDB manual snapshot is public
DocumentDB.4 DocumentDB clusters should export audit logs to CW
DocumentDB.6 DocumentDB clusters should encrypt in transit