For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-rds-db-instance-with-deletion-protection-disabled.md.
A documentation index is available at /llms.txt.
RDS DB instances must have deletion protection enabled to prevent accidental or unauthorized deletion that can cause irreversible data loss and service downtime. In AWS CloudFormation, the DeletionProtection property on AWS::RDS::DBInstance resources must be defined and set to true. Resources missing this property or with DeletionProtection set to false will be flagged. This does not replace regular snapshots or backups, so ensure backups are still configured.
AWSTemplateFormatVersion:2010-09-09Description:RDS Storage EncryptedParameters:SourceDBInstanceIdentifier:Type:StringDBInstanceType:Type:StringSourceRegion:Type:StringResources:MyKey:Type:"AWS::KMS::Key"Properties:KeyPolicy:Version:2012-10-17Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:!Join- ""- - "arn:aws:iam::"- !Ref "AWS::AccountId"- ":root"Action:"kms:*"Resource:"*"MyDBSmall:Type:"AWS::RDS::DBInstance"Properties:DBInstanceClass:!Ref DBInstanceTypeSourceDBInstanceIdentifier:!Ref SourceDBInstanceIdentifierSourceRegion:!Ref SourceRegionDeletionProtection:trueKmsKeyId:!Ref MyKeyOutputs:InstanceId:Description:InstanceId of the newly created RDS InstanceValue:!Ref MyDBSmall
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"RDS Storage Encrypted","Parameters":{"DBInstanceType":{"Type":"String"},"SourceRegion":{"Type":"String"},"SourceDBInstanceIdentifier":{"Type":"String"}},"Resources":{"MyKey":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":["",["arn:aws:iam::","AWS::AccountId",":root"]]},"Action":"kms:*","Resource":"*"}],"Version":"2012-10-17T00:00:00Z"}}},"MyDBSmall":{"Type":"AWS::RDS::DBInstance","Properties":{"SourceDBInstanceIdentifier":"SourceDBInstanceIdentifier","SourceRegion":"SourceRegion","DeletionProtection":true,"KmsKeyId":"MyKey","DBInstanceClass":"DBInstanceType"}}},"Outputs":{"InstanceId":{"Description":"InstanceId of the newly created RDS Instance","Value":"MyDBSmall"}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:RDS Storage EncryptedParameters:SourceDBInstanceIdentifier:Type:StringDBInstanceType:Type:StringSourceRegion:Type:StringResources:MyKey:Type:"AWS::KMS::Key"Properties:KeyPolicy:Version:2012-10-17Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:!Join- ""- - "arn:aws:iam::"- !Ref "AWS::AccountId"- ":root"Action:"kms:*"Resource:"*"MyDBSmall:Type:"AWS::RDS::DBInstance"Properties:DBInstanceClass:!Ref DBInstanceTypeSourceDBInstanceIdentifier:!Ref SourceDBInstanceIdentifierSourceRegion:!Ref SourceRegionDeletionProtection:falseKmsKeyId:!Ref MyKeyOutputs:InstanceId:Description:InstanceId of the newly created RDS InstanceValue:!Ref MyDBSmall
AWSTemplateFormatVersion:2010-09-09Description:RDS Storage EncryptedParameters:SourceDBInstanceIdentifier:Type:StringDBInstanceType:Type:StringSourceRegion:Type:StringResources:MyKey1:Type:"AWS::KMS::Key"Properties:KeyPolicy:Version:2012-10-17Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:!Join- ""- - "arn:aws:iam::"- !Ref "AWS::AccountId"- ":root"Action:"kms:*"Resource:"*"MyDBSmall1:Type:"AWS::RDS::DBInstance"Properties:DBInstanceClass:!Ref DBInstanceTypeSourceDBInstanceIdentifier:!Ref SourceDBInstanceIdentifierSourceRegion:!Ref SourceRegionKmsKeyId:!Ref MyKeyOutputs:InstanceId:Description:InstanceId of the newly created RDS InstanceValue:!Ref MyDBSmall1
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"RDS Storage Encrypted","Parameters":{"SourceDBInstanceIdentifier":{"Type":"String"},"DBInstanceType":{"Type":"String"},"SourceRegion":{"Type":"String"}},"Resources":{"MyKey":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Version":"2012-10-17T00:00:00Z","Id":"key-default-1","Statement":[{"Principal":{"AWS":["",["arn:aws:iam::","AWS::AccountId",":root"]]},"Action":"kms:*","Resource":"*","Sid":"Enable IAM User Permissions","Effect":"Allow"}]}}},"MyDBSmall":{"Type":"AWS::RDS::DBInstance","Properties":{"DBInstanceClass":"DBInstanceType","SourceDBInstanceIdentifier":"SourceDBInstanceIdentifier","SourceRegion":"SourceRegion","DeletionProtection":false,"KmsKeyId":"MyKey"}}},"Outputs":{"InstanceId":{"Description":"InstanceId of the newly created RDS Instance","Value":"MyDBSmall"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
