Everything ~ Cloud Security
Preventing Accidental Deletion on Amazon RDS

Preventing Accidental Deletion on Amazon RDS

Goodycyb's photo
Goodycyb
·

6 min read

Table of contents

Introduction

As a cloud security engineer, you can use Amazon Relational Database Service (RDS) to create a secure relational database in the cloud, ensuring better security and availability for applications. Amazon RDS has access to various database engines, such as Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. To isolate database instances, Amazon RDS allows them to run in the Amazon Virtual Private Cloud (VPC). To ease disaster recovery, you can create a snapshot of the Amazon RDS.

Additionally, Amazon RDS offers encryption features to secure both the database and snapshots. To prevent accidental deletion of database snapshots, a cloud security engineer or any other user can enable the deletion protection feature during the database creation process.

Lab Objective

This lab provides a demonstration of how to enable and verify the accidental deletion feature in Amazon RDS, as well as the creation of a database snapshot for disaster recovery.

Disclaimer

Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console

Lab Tasks

  • Sign on to your AWS management console

  • Create MySQL database in Amazon RDS by searching for RDS and clicking on RDS

  • Next, on the Amazon RDS Dashboard, click Create Database.

  • When on the Create Database page, select the Standard Create method to create the database. For the Engine Option, choose the MySQL radio button to designate MySQL as the RDS database engine.

  • Navigate to the Templates section and opt for the Free tier by scrolling down.

Important: The Production alternative offers additional features but comes with associated expenses. Therefore, in this case, please select the Free tier option.

  • Next, scroll down to the Settings section and type d3m0-db as the DB instance identifier. Under Credentials Settings, type a Master username (here, admin) and a strong password (here, #Bs!KB$zgEFv2&U&3) under Master password followed by Confirm password.

  • Continue scrolling until you reach the Connectivity section. To prevent public access to the database, choose the "No" option in the Public Access radio button.

    It is important to note that if the database is accessible to the public, there is a risk of data compromise, as various tools can be employed to scan the database ports within a public network.

  • Next, limit access to the database by utilizing a VPC security group. Scroll down and choose the option "Create new" in the VPC security group section. Enter a name, such as "d3m0-db-securitygroup", as the new VPC security group name.

  • Afterward, proceed to scroll down to the Additional Configuration section and expand it. Enter a name (e.g., d3m0db) in the Initial database name field. To generate a snapshot of the database, choose the option to Enable automated backups for Backup.

  • To ensure the database is safeguarded against unintentional deletion, scroll down and select the checkbox for Enable deletion protection under Deletion protection. Afterward, proceed to click on "Create database.”

  • Please Wait a few seconds for the database creation process to complete.

  • After a few minutes, the database creation process will be completed, as depicted in the screenshot provided below.

Creating Snapshot of the Database

  • Next, to create a snapshot of the database (d3m0-db), select the radio button for the database (d3m0-db) you created. Then, click on the Actions dropdown button and choose Take Snapshot.

  • On the Take DB snapshot page under Settings, type an appropriate snapshot name (here, snap-d3m0-db) and click Take snapshot.

  • After waiting for a few minutes, a snapshot of Amazon RDS (snap-d3m0-db) is successfully created, as shown in the screenshot. Then, click the refresh icon

Duplicate & Encrypt Snapshot

  • You can activate encryption and generate a duplicate of the snapshot. To accomplish this, simply mark the checkbox corresponding to the recently created snapshot (snap-d3m0-db). Next, click on the dropdown menu labeled "Actions" and select the option to copy the snapshot.

  • On the Copy snapshot page, ensure you select the appropriate region where you created the RDS (here, US West (Oregon)), and for the New DB Snapshot Identifier, give it any name (here, snap-d3m0-db-cpy1).

  • Next, scroll down under the Encryption section, and check the Enable Encryption (which is selected by default) option to enable encryption for the copy of the DB snapshot. Keep the Master key as (default) aws/rds, and then click on Copy snapshot.

  • Please allow a few minutes for the creation of the snapshot copy. Once the process is complete, you will have an encrypted Amazon RDS snapshot. Then click the refresh icon

Testing deletion protection by an unauthorized user

You can verify whether deletion protection has been enabled for Amazon RDS. This means that even if an unauthorized user attempts to access your database, they will be unable to delete it without altering or modifying the database instance.

  • Navigate back to the database (d3m0-db) by clicking on Databases from the Amazon RDS left panel.

  • Now, select the checkbox for the database you created (d3m0-db). Click on the Actions dropdown and select Delete from the menu.

  • Once you click the "Delete" button, a pop-up will appear indicating that the deletion protection option is enabled for this database. To proceed, simply click on the "Close" button.

Lab Lesson

Enabling deletion protection and creating a database snapshot are steps that a cloud security engineer can follow to enhance the security of databases in Amazon RDS.

Deleting Created Resources

To avoid incurring charges, make sure to delete, shut down, or terminate all resources that have been created and utilized in this lab.

  • To remove all instances created during this lab, go to the Snapshots section within Amazon RDS. Locate the instances created in this lab (specifically, snap-d3m0-db and snap-d3m0-db-cpy1) and mark the checkboxes next to them. Navigate to Action and click on Delete. In the resulting pop-up window, click the Delete button to proceed with the deletion.

  • Navigate to Databases under Amazon RDS and select the checkbox created in this lab (here, d3m0-db). Select the Modify button, and then scroll down and uncheck the Enable deletion protection under Deletion protection. Click on Continue.

  • In the following window, choose the "Apply immediately" radio button for scheduling modifications, and then proceed to select "Modify DB instance.”

  • Navigate to Databases under Amazon RDS and select the checkbox for the database instance created in this lab (here, d3m0-db). Click on the Delete button. In the pop-up window, acknowledge the checkbox, enter Delete me, and click on the Delete button.

NOTE: It will take a few minutes before it finally deletes the database.

  • Navigate to the EC2 Dashboard. In the left pane of the EC2 console, click on Security Groups under Network & Security. Select the RDS security group check box and navigate to action at the top, Within the menu, scroll down, and select Delete security group.

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!

AWS RDSaws rds instanceAWS Database#aws database securityAWS Community Builder