github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/rds/enable_deletion_protection.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/rds/enable_deletion_protection.rego (about)

     1  # METADATA
     2  # title: "RDS Deletion Protection Disabled"
     3  # description: "Ensure deletion protection is enabled for RDS database instances."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["cloud"]
     7  # related_resources:
     8  # - https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/
     9  # custom:
    10  #   avd_id: AVD-AWS-0177
    11  #   provider: aws
    12  #   service: rds
    13  #   severity: MEDIUM
    14  #   short_code: enable-deletion-protection
    15  #   recommended_action: "Modify the RDS instances to enable deletion protection."
    16  #   input:
    17  #     selector:
    18  #     - type: cloud
    19  #       subtypes:
    20  #         - service: rds
    21  #           provider: aws
    22  package builtin.aws.rds.aws0177
    23  
    24  deny[res] {
    25  	instance := input.aws.rds.instances[_]
    26  	not instance.deletionprotection.value
    27  	res := result.new("Instance does not have Deletion Protection enabled", instance.deletionprotection)
    28  }