RDS-CloudFormation Delete and Update Protection

2021.09.22

Introduction

CloudFormation defines your AWS Infrastructure as code, where you can create and manage AWS Services and their lifecycles through CloudFormation Templates. When you delete a CloudFormation stack, by default all the resources created by CloudFormation will be deleted. Accidental deletion of CloudFormation Stack or RDS Database might lead to loss of Important data and business-critical  resources. Here are some ways to protect the RDS Database deployed via CloudFormation from unintentional  deletes and updates.

 

CloudFormation Termination Protection and ChangeSet

CloudFormation Termination Protection

In order to protect CloudFormation from accidental deletion, enable Stack Termination Protection in the console. By enabling, you can’t  delete or terminate the stack until you disable the termination protection.

 

Enable Termination Protection while creating stack

While creating a stack, choose "enabled" for Termination protection under Stack creation options.

 

Enable Termination Protection after creating stack

Select the stack that you want to protect and choose Stack actions. Click on  'Edit Termination Protection ' followed by choose 'enabled' and save.

 

CloudFormation ChangeSet

Review the ChangeSet before updating the stack to understand the changes. The ChangeSet shows the detailed summary of actions that will be executed during the update process.

Steps to create ChangeSets:

  • Select the Stack you want to update.
  • Click on 'Create change set for current stack' under Stack actions.
  • Choose the template and create ChangeSet.

You can review the changes using ChangeSet before actually applying the changes.

 

RDS-CloudFormation Deletion Protection

Here are some ways to protect the RDS deployed via CloudFormation from accidental  deletion:

    • DeletionPolicy
      • Set DeletionPolicy to retain to prevent deletion of RDS.
      • With DeletionPolicy you can either preserve or delete the resources, when the stack is deleted. You can add DeletionPolicy to any resource type.
        • Retain - It retains all the resources when stack is deleted.
        • Delete - It deletes all the resources when stack is deleted.
        • Snapshot - It takes snapshots and then deletes. Applicable only for resources that support snapshots.
 DeletionPolicy: Retain

 

    • DeletionProtection
      • Set DeletionProtection to True in the RDS CloudFormation template.
      • You can’t delete the Database, when Deletion protection is set to true or when it is enabled.
 DeletionProtection: True

 

    • DeleteAutomatedBackups
      • Set DeleteAutomatedBackups to False.
      • It makes sure that all the automated backups are retained when the database is deleted.
 DeleteAutomatedBackups: False

 

Here is a CloudFormation Template containing above deletion protection options for RDS.

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  MasterUser: 
    Type: String
    NoEcho: true
    Description: "Master Username"

  MasterPassword: 
    Type: String
    NoEcho: true
    Description: "Master User Password"
  
  Storage:
    Type: String
    Default : 50
    Description: "Allocated Storage"

Resources:
  MySQLDB:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      AllocatedStorage: !Ref Storage
      DBInstanceClass: "db.t2.micro"
      DeletionProtection: true
      DeleteAutomatedBackups: false
      Engine: MySQL
      EngineVersion: 8.0.23
      MasterUsername: !Ref MasterUser
      MasterUserPassword: !Ref MasterPassword
    DeletionPolicy: Retain

 

RDS-CloudFormation Update Protection

To prevent updates to RDS or any other specific resources use Stack Policy. You can prevent stack resources from being deleted or updated unintentionally during the stack update using Stack Policy. It is a JSON document that defines certain actions that can be performed on specific resources.

Here is a Stack Policy which prevents updates on RDS deployed through CloudFormation during stack updates. The Policy Denies any updates on RDS resource type. This prevents the database from being updated.

 

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "Update:*",
            "Principal": "*",
            "Resource": "*"
        },
        {
            "Effect" : "Deny",
            "Action" : "Update:*",
            "Principal": "*",
            "Resource" : "*",
            "Condition" : {
              "StringEquals" : {
                "ResourceType" : ["AWS::RDS::DBInstance"]
              }
            }
        }
    ]
}

 

Enter the Stack Policy while creating the CloudFormation Stack in Advanced options. You can also upload a JSON file containing the required stack policy.

 

The below image shows the RDS Update being Failed because of stack policy denying changes on RDS.

 

Summary

We have seen different options to protect the RDS deployed through CloudFormation from unintentional  updates and deletes. You can use any of the options based on your requirement or you can combine all them to get a strong protection for your Database.