Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · RDS

RDS.7: RDS clusters should have deletion protection

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub RDS.7 check?

RDS.7 checks whether the DeletionProtection attribute is set to true on an RDS DB cluster (AWS::RDS::DBCluster — the Aurora, Neptune, and DocumentDB family). It reports FAILED when the flag is off. It is the cluster counterpart to RDS.8, which checks the same flag on standalone instances at Low severity.

Why does RDS.7 matter?

RDS clusters are deletable with a single API call or one console confirmation — no cooling-off period, no undo. Once the delete completes, the cluster, its endpoints, and (unless a final snapshot was requested) its data are gone. With deletion protection on, RDS rejects any DeleteDBCluster request outright until someone first runs a modify call to turn protection off, converting an irreversible one-click action into a deliberate two-step decision much harder to fire by accident or a misconfigured automation script. A cluster typically fronts a primary plus replicas, so deleting it takes down the whole topology at once.

How do I fix RDS.7?

  1. Enable it with modify-db-cluster --deletion-protection.
  2. Default deletion protection to true in IaC for all production clusters.
  3. When a cluster genuinely must be deleted, disable protection as a separate, logged step first.
  4. Use a Config rule to flag any cluster that drifts back to unprotected.

Remediation script · bash

# Enable deletion protection on every unprotected standalone RDS instance in a region.
for id in $(aws rds describe-db-instances \
  --query 'DBInstances[?DeletionProtection==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --deletion-protection --apply-immediately
  echo "Protected RDS instance: $id"
done

# Termination-protect every production-tagged CloudFormation stack (eyeball the list first).
aws cloudformation describe-stacks \
  --query "Stacks[?Tags[?Key=='Environment' && Value=='production']].StackName" \
  --output text | tr '\t' '\n' | while read -r stack; do
  aws cloudformation update-termination-protection \
    --stack-name "$stack" --enable-termination-protection
  echo "Protected stack: $stack"
done

# Deletion-protect a production load balancer.
aws elbv2 modify-load-balancer-attributes --load-balancer-arn "$LB_ARN" \
  --attributes Key=deletion_protection.enabled,Value=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable deletion and termination protection.

Full lesson Enable deletion and termination protection Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for RDS controls ↗ Check your own account for RDS.7 →
Part of the learning path Lock down access

More RDS controls

  • RDS.1 An RDS snapshot is shared publicly
  • RDS.2 An RDS instance is publicly accessible from the internet
  • RDS.3 RDS DB instances should be encrypted at rest
  • RDS.4 RDS snapshots should be encrypted at rest
  • RDS.5 RDS DB instances should use multiple AZs
  • RDS.6 RDS lacks enhanced monitoring
  • RDS.8 RDS DB instances should have deletion protection
  • RDS.9 RDS engine logs are not shipped to CloudWatch
  • RDS.10 RDS relies on long-lived database passwords
  • RDS.11 RDS instances should have automatic backups
  • RDS.12 IAM auth should be configured for RDS clusters
  • RDS.13 RDS is not receiving automatic minor security patches