Hello everyone! I'm looking for guidance on how to enforce RDS deletion protection throughout our AWS Organization with Service Control Policies (SCPs). My aim is to ensure that no new RDS instances or clusters can be set up without having the deletion protection enabled. I'm also considering blocking any deletion requests for RDS resources unless the deletion protection has been disabled first. I've heard that some AWS services support condition keys in SCPs—does anyone have experience with this for RDS? Is it feasible to directly restrict actions like rds:DeleteDBInstance or rds:DeleteDBCluster in an SCP? I'm curious about any potential issues that might disrupt automation or our pipeline processes. Any examples or advice from those who have put something similar in place would be greatly appreciated! Thanks!
1 Answer
It seems like there isn’t any condition available for that specific case in SCPs. But you might want to check out AWS Config— it can help show if your RDS instances comply with a rule you set up. Then potentially, you could have an SCP based on that. But I’m not too sure. You might still need a custom Lambda function for a proper compliance check. Just a thought!
Thanks for the insight! These RDS instances were created using CloudFormation, so updating those templates is definitely something we are considering. The AWS Config idea feels promising, but I’m mainly interested in catching any future RDS resources that pop up without deletion protection, like a safeguard.