Skip to content

feat(query): add "RDS Deletion Protection Disabled" query for Terraform/AWS#8075

Open
Muhammaduazir69 wants to merge 1 commit into
Checkmarx:masterfrom
Muhammaduazir69:feat/query-rds-deletion-protection
Open

feat(query): add "RDS Deletion Protection Disabled" query for Terraform/AWS#8075
Muhammaduazir69 wants to merge 1 commit into
Checkmarx:masterfrom
Muhammaduazir69:feat/query-rds-deletion-protection

Conversation

@Muhammaduazir69

@Muhammaduazir69 Muhammaduazir69 commented Jun 26, 2026

Copy link
Copy Markdown

Description

Adds a new KICS query that flags Amazon RDS databases provisioned without deletion protection. It covers both aws_db_instance and aws_rds_cluster (Aurora), reporting when deletion_protection is either set to false (IncorrectValue) or omitted entirely (MissingAttribute — the Terraform/AWS default is false, i.e. unprotected).

Motivation

KICS already ships ALB Deletion Protection Disabled (aws_lb/aws_alb), but there is no equivalent coverage for RDS, despite RDS holding persistent data where accidental or malicious deletion is far more damaging. Confirmed gap: no existing query references deletion_protection on aws_db_instance/aws_rds_cluster.

What the query checks

Resource Condition flagged issueType
aws_db_instance deletion_protection = false IncorrectValue
aws_db_instance deletion_protection undefined MissingAttribute
aws_rds_cluster deletion_protection = false IncorrectValue
aws_rds_cluster deletion_protection undefined MissingAttribute

Secure configurations (deletion_protection = true) are covered by the negative tests and produce no findings.

Metadata

  • Severity: MEDIUM, riskScore 3 (per the contributor guide severity→score mapping)
  • Category: Insecure Configurations · CWE-693 (Protection Mechanism Failure)
  • descriptionUrl → Terraform AWS provider db_instance#deletion_protection

Testing

  • make test-unit — new query positive/negative tests pass; full suite green (55 packages, 0 failures).
  • Validated end-to-end with ./bin/kics scan on both samples (positive → 4 MEDIUM findings, negative → 0).
  • metadata.json validated against .github/scripts/queries-validator/metadata-schema.json.

I submit this contribution under the Apache-2.0 license.

Adds a new KICS query that flags Amazon RDS databases provisioned without
deletion protection. Covers both aws_db_instance and aws_rds_cluster
(Aurora) for the deletion_protection = false case and the undefined case
(the Terraform/AWS default is false, i.e. unprotected).

KICS already ships an ALB deletion-protection query but had no RDS
equivalent, despite RDS holding persistent data where accidental or
malicious deletion is more damaging. Severity MEDIUM, CWE-693.

Signed-off-by: Muhammad Uzair <muhammaduzairr69@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant