Skip to main content

AWS RDS Deletion Protection disabled

ID:aws_rds_deletion_protection_disabled
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected that AWS Relational Database Service (RDS) Deletion Protection was disabled for a database instance, cluster or global cluster of instances. Deletion Protection is a safeguard that prevents accidental or malicious deletion of RDS databases. Disabling removes this critical security control, potentially exposing databases to unauthorized deletion. Actions initiated by AWS services are exempt from detection to avoid false positives.

Impact

Disabling RDS Deletion Protection significantly increases the risk of data loss and service disruption. Without this safeguard, databases become vulnerable to accidental deletion by authorized users or intentional deletion by threat actors who have gained access to the AWS environment. This can result in extended downtime, data loss, and potential breach of compliance violations.

Severity

SeverityCondition
Informational
Disabled RDS Deletion Protection
Low
Disabled RDS Deletion Protection by a client with an unexpected user agent
Low
Disabled RDS Deletion Protection by a client IP within an unexpected ASN
Low
Disabled RDS Deletion Protection by a client accompanied by an unexpected action

Investigation and Remediation

Review AWS CloudTrail logs to identify the user or role that disabled the Deletion Protection. If unauthorized, immediately re-enable Deletion Protection for affected databases. Determine if any deletion attempts were made while protection was disabled.

Known False Positives

  • Testing or development environments where rapid creation and deletion of databases is required