Terraform Missing Deletion Protection
Description
Identifies AWS RDS database instances and clusters configured without deletion protection in Terraform code. When deletion protection is disabled, databases can be accidentally deleted, potentially causing data loss and service disruption in production environments.
Detection Strategy
• Scans Terraform configuration files for AWS RDS resource definitions (aws_db_instance and aws_rds_cluster)
• Checks if the deletion_protection parameter is either set to false or missing from the resource configuration
• Reports a vulnerability when an RDS resource is found without proper deletion protection enabled
Vulnerable code example
resource "aws_rds_cluster" "vulnerable_example" {
cluster_identifier = "demo-cluster"
deletion_protection = false # Vulnerable: No deletion protection enabled
master_username = "admin"
master_password = "secretpass123" # Vulnerable: Hardcoded credentials
backup_retention_period = 0 # Vulnerable: Automated backups disabled
skip_final_snapshot = true
}✅ Secure code example
resource "aws_rds_cluster" "secure_example" {
cluster_identifier = "demo-cluster"
deletion_protection = true # Enable deletion protection to prevent accidental deletion
master_username = var.db_username # Use variables instead of hardcoded credentials
master_password = var.db_password
backup_retention_period = 7 # Enable automated backups with 7-day retention
skip_final_snapshot = false # Create final snapshot before deletion
preferred_backup_window = "03:00-05:00" # Set backup window during off-peak hours...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.