Ensure QLDB ledger has deletion protection enabled

Error: Ensure QLDB ledger has deletion protection enabled
Bridgecrew Policy ID: BC_AWS_STORAGE_1
Checkov Check ID: CKV_AWS_172
Severity: LOW

Ensure QLDB ledger has deletion protection enabled

Description

Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database for cryptographically verifiable transaction logging. You can use the QLDB API or the AWS Command Line Interface (AWS CLI) to create, update, and delete ledgers in Amazon QLDB. You can also list all the ledgers in your account, or get information about a specific ledger.

Deletion protection is enabled by default. To successfully delete this resource via Terraform, deletion_protection = false must be applied before attempting deletion. In CloudFormation the flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled (true) by default.

Fix - Buildtime

Terraform

  • Resource: aws_qldb_ledger
  • Argument: deletion_protection
resource "aws_qldb_ledger" "sample-ledger" {
  name             = "sample-ledger"
  permissions_mode = "STANDARD"
+ deletion_protection = true 
}

CloudFormation

  • Resource: AWS::QLDB::Ledger
  • Argument: DeletionProtection
Type: AWS::QLDB::Ledger
Properties: 
+  DeletionProtection: true
  KmsKey: String
  Name: String
  PermissionsMode: String
  Tags: 
    - Tag