AWS RDS Deletion Protection disabled unexpectedly
Description
AlphaSOC detected that AWS Relational Database Service (RDS) Deletion Protection was disabled for a database instance, cluster or global cluster of instances. Deletion Protection is a safeguard that prevents accidental or malicious deletion of RDS databases. Disabling removes this critical security control, potentially exposing databases to unauthorized deletion. Actions initiated by AWS services are exempt from detection to avoid false positives.
Impact
Disabling RDS Deletion Protection significantly increases the risk of data loss and service disruption. Without this safeguard, databases become vulnerable to accidental deletion by authorized users or intentional deletion by threat actors who have gained access to the AWS environment. This can result in extended downtime, data loss, and potential breach of compliance violations.
Severity
Severity | Condition |
---|---|
Informational | Disabled RDS Deletion Protection |
Low | Disabled RDS Deletion Protection by a client with an unexpected user agent |
Low | Disabled RDS Deletion Protection by a client IP within an unexpected ASN |
Low | Disabled RDS Deletion Protection by a client accompanied by an unexpected action |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that disabled the Deletion Protection. If unauthorized, immediately re-enable Deletion Protection for affected databases. Determine if any deletion attempts were made while protection was disabled.
Known False Positives
- Testing or development environments where rapid creation and deletion of databases is required