Check provider logo

Check if DocumentDB Clusters has deletion protection enabled.

documentdb_cluster_deletion_protection

Severitymedium
Servicedocumentdb
by Prowler

Check if DocumentDB Clusters has deletion protection enabled.

Risk

Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. A DocumentDB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed.

Run this check with Prowler CLI

prowler aws --checks documentdb_cluster_deletion_protection

Run in Prowler Cloud

ARN template

arn:aws:rds:region:account-id:db-cluster

Remediation

CLI

aws aws docdb modify-db-cluster --region <REGION> --db-cluster-identifier <DB_CLUSTER_ID> --deletion-protection --apply-immediately

Native IAC

https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#

Terraform

https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#

Other

https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#

WUI

Enable deletion protection for production DocumentDB Clusters.

References:
https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5

Source Code

References

Resource Type

AwsRdsDbCluster

Related URL