Skip to main content

Lack of protection against deletion - RDS

Description

The current configuration has no protection against deletion, this can lead to the deletion of databases in Amazon Web Services RDS.

Impact

Delete a database by mistake or without having to go through additional validations.

Recommendation

Securely configure the Amazon Web Services service, allowing protection against accidental deletion.

Threat

Attacker with access to the AWS console.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: H
  • User interaction: R
  • Scope: U
  • Confidentiality: N
  • Integrity: H
  • Availability: H

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:X
  • Score:
    • Base: 6.1
    • Temporal: 5.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All resources have a secure protection mechanism against deletion

resource "aws_db_instance" "default" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
deletion_protection = true
password = "foobarbaz"
backup_retention_period = 7
parameter_group_name = "default.mysql5.7"
skip_final_snapshot = true
}
Resources:
RDSCluster1:
Properties:
BackupRetentionPeriod: 2
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName:
Ref: DBSubnetGroup
Engine: aurora
MasterUserPassword:
Ref: password
MasterUsername:
Ref: username
StorageEncrypted: true
Type: "AWS::RDS::DBCluster"

Non compliant code

The resource does not have any protection against deletion

resource "aws_db_instance" "default" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
deletion_protection = false
password = "foobarbaz"
backup_retention_period = 0
parameter_group_name = "default.mysql5.7"
skip_final_snapshot = true
}
Resources:
RDSCluster1:
Properties:
BackupRetentionPeriod: 0
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName:
Ref: DBSubnetGroup
Engine: aurora
MasterUserPassword:
Ref: password
MasterUsername:
Ref: username
StorageEncrypted: true
Type: "AWS::RDS::DBCluster"

Using the AWS CLI, verify that the RDS instances are protected against deletion

$ aws rds describe-db-instances
--region us-east-1
--db-instance-identifier {resource_identifier}
--query 'DBInstances[*].DeletionProtection'

If the command output returns false, deletion protection is not enabled

Requirements