DocumentDB cluster has deletion protection enabled
documentdb_cluster_deletion_protection
Amazon DocumentDB clusters are evaluated for the deletion_protection setting on the cluster configuration.
The finding highlights clusters where this protection is not enabled.
Risk
Without deletion protection, clusters can be deleted by mistake or misuse, causing sudden outage and loss of recovery points, impacting availability and data integrity.
Compromised accounts or faulty automation can remove databases or skip final snapshots, hindering restoration.
prowler aws --checks documentdb_cluster_deletion_protection
Recommendation
Enable deletion protection on all non-ephemeral clusters, prioritizing production.
Enforce least privilege for delete and modify actions, require change control to toggle protection, and implement defense in depth with automation that continuously enforces this setting. Before decommissioning, take a final snapshot.
Remediation
aws docdb modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --deletion-protection --apply-immediately
- In the AWS Console, go to Amazon DocumentDB > Clusters
- Select the target cluster and click Modify
- Enable Deletion protection
- Check Apply immediately and click Save changes
Source Code
Resource Type
AwsRdsDbCluster
References
- https://support.icompaas.com/support/solutions/articles/62000233689-ensure-documentdb-clusters-has-deletion-protection-enabled
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DocumentDB/deletion-protection.html
- https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-delete.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5