Open menu

Enable Aurora Serverless Cluster Deletion Protection

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that all your Amazon Aurora Serverless databases are protected from accidental deletion by having Deletion Protection feature enabled at the Aurora cluster level.

Deletion protection prevents any existing or new Aurora Serverless database cluster from being terminated by a root or IAM user using the AWS Management Console, AWS CLI or AWS API calls, unless the feature is explicitly disabled. With Deletion Protection safety feature enabled, you have the certainty that your Amazon Aurora Serverless databases cannot be accidentally deleted and make sure that your data remains safe.

Audit

To determine if your Aurora Serverless database clusters are protected against accidental deletion, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Click on the name of the Aurora Serverless database cluster that you want to examine. To identify Aurora Serverless clusters, check the value available in the Type column (i.e. Serverless).

05 Within Details panel section, in the Configurations category, check the Deletion protection attribute value. If the attribute value is set to Disabled, the Deletion Protection safety feature is not enabled for the selected Amazon Aurora Serverless database cluster.

06 Repeat step no. 4 and 5 to determine the Deletion Protection feature status for other Aurora Serverless clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon Aurora Serverless clusters available in the selected AWS region:

aws rds describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[?Engine==`aurora` && EngineMode==`serverless`].DBClusterIdentifier | []'

02 The command output should return a table with the requested resource names:

------------------------
|  DescribeDBClusters  |
+----------------------+
|  cc-project5-cluster |
|  cc-aurora-cluster   |
+----------------------+

03 Execute again describe-db-clusters command (OSX/Linux/UNIX) using the name of the serverless database cluster that you want to examine as identifier and custom query filters to get the Deletion Protection feature status for the selected cluster:

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-project5-cluster
	--query 'DBClusters[*].DeletionProtection'

04 The command output should return the feature status (true for enabled, false for disabled):

[
    false
]

If the describe-db-clusters command output returns false, as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Amazon Aurora Serverless database cluster.

05 Repeat step no. 3 and 4 to check the Deletion Protection feature status for other Aurora Serverless clusters available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Deletion Protection safety feature for your existing Amazon Aurora Serverless database clusters, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Select the serverless database cluster that you want to reconfigure (see Audit section part I to identify the right Amazon Aurora resource).

05 Click the Modify button from the dashboard top menu.

06 On the Modify DB Cluster: <cluster-identifier> page, in the Deletion protection section, select Enable deletion protection checkbox to activate Deletion Protection for the selected Amazon Aurora Serverless cluster.

07 Click Continue to continue the reconfiguration process.

08 Within Summary of modifications section, review the configuration changes that you want to apply to the cluster.

09 In the Scheduling of modifications section, perform one of the following actions based on your requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this Aurora Serverless database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your application.

10 Click Modify DB Cluster to apply the configuration changes.

11 Repeat steps no. 4 – 10 to enable the feature for other Amazon Aurora Serverless clusters available in the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable Deletion Protection feature for the selected Amazon Aurora Serverless database cluster (see Audit section part II to identify the right resource) by adding the --deletion-protection parameter to the command request. The following command example make use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora Serverless application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:

aws rds modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-project5-cluster
	--deletion-protection
	--apply-immediately

02 The command output should return the new configuration metadata for the modified serverless cluster:

{
    "DBCluster": {
        "EngineMode": "serverless",
        "Status": "available",
        "MultiAZ": false,
        "PreferredBackupWindow": "05:07-05:37",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "Engine": "aurora",
        "IAMDatabaseAuthenticationEnabled": false,
        "ClusterCreateTime": "2019-04-10T10:14:45.332Z",
        "EngineVersion": "5.6.10a",
 
        ...
 
        "DeletionProtection": true,
        "DBClusterIdentifier": "cc-project5-cluster",
        "DbClusterResourceId": "cluster-AAAABBBBCCCCDDDDAAAABBBBCD",
        "DBClusterMembers": [],
        "StorageEncrypted": true,
        "DBClusterParameterGroup": "default.aurora5.6",
        "AvailabilityZones": [
            "us-east-1a",
            "us-east-1b",
            "us-east-1c"
        ],
        "Port": 3306
    }
}

03 Repeat step no. 1 and 2 to enable the safety feature for other Amazon Aurora Serverless database clusters available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Apr 18, 2019