Json Yaml Missing Deletion Protection
Description
Detects AWS RDS database resources in CloudFormation templates that are configured without deletion protection. When deletion protection is disabled, database instances or clusters can be accidentally or maliciously deleted, potentially causing data loss and service disruption.
Detection Strategy
• Look for CloudFormation resource definitions of type 'AWS::RDS::DBCluster' or 'AWS::RDS::DBInstance'
• Check if the resource properties include deletion protection configuration
• Report a vulnerability if deletion protection is either set to false or missing from the configuration
• Each RDS resource without proper deletion protection will trigger a separate vulnerability finding
Vulnerable code example
Resources:
MyVulnerableRDSInstance:
Type: "AWS::RDS::DBInstance"
Properties:
DeletionProtection: false # Vulnerable: No deletion protection enables accidental deletion
DBInstanceClass: db.t3.micro
Engine: postgres
MasterUsername: admin # Vulnerable: Hardcoded credentials in template...✅ Secure code example
Resources:
MySecureRDSInstance:
Type: "AWS::RDS::DBInstance"
Properties:
DeletionProtection: true # Enable deletion protection to prevent accidental deletion
DBInstanceClass: db.t3.micro
Engine: postgres
MasterUsername: !Sub '${AWS::StackName}-admin' # Dynamic username using stack name...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.