RDS instance has deletion protection enabled
rds_instance_deletion_protection
RDS DB instances are assessed for deletion protection. If an instance belongs to an Aurora cluster, the setting is evaluated at the cluster level; otherwise, it is evaluated on the instance itself.
Risk
Without deletion protection, a user or pipeline can delete a database in one action, causing immediate loss of availability and possible data loss if backups are stale or missing. This heightens exposure to insider misuse, compromised credentials, or faulty automation, increasing recovery time and cost.
prowler aws --checks rds_instance_deletion_protection
Recommendation
Enable deletion protection on production RDS instances and Aurora clusters. Enforce least privilege for delete/modify actions and require change control to disable protection. Use defense in depth with reliable backups and tested restores to limit impact if a deletion occurs.
Remediation
aws rds modify-db-instance --db-instance-identifier <db_instance_id> --deletion-protection --apply-immediately
- In the AWS console, go to RDS > Databases
- For a standalone DB instance: select the instance > Modify > enable Deletion protection > Continue > Apply immediately > Modify DB instance
- For an Aurora/clustered instance: switch to the cluster (Writer) > Modify > enable Deletion protection > Continue > Apply immediately > Modify cluster
Source Code
Resource Type
AwsRdsDbInstance