Ensure QLDB ledger has deletion protection enabled
Error: Ensure QLDB ledger has deletion protection enabled
Bridgecrew Policy ID: BC_AWS_STORAGE_1
Checkov Check ID: CKV_AWS_172
Severity: LOW
Ensure QLDB ledger has deletion protection enabled
Description
Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database for cryptographically verifiable transaction logging. You can use the QLDB API or the AWS Command Line Interface (AWS CLI) to create, update, and delete ledgers in Amazon QLDB. You can also list all the ledgers in your account, or get information about a specific ledger.
Deletion protection is enabled by default. To successfully delete this resource via Terraform, deletion_protection = false must be applied before attempting deletion. In CloudFormation the flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled (true) by default.
Fix - Buildtime
Terraform
- Resource: aws_qldb_ledger
- Argument: deletion_protection
resource "aws_qldb_ledger" "sample-ledger" {
name = "sample-ledger"
permissions_mode = "STANDARD"
+ deletion_protection = true
}
CloudFormation
- Resource: AWS::QLDB::Ledger
- Argument: DeletionProtection
Type: AWS::QLDB::Ledger
Properties:
+ DeletionProtection: true
KmsKey: String
Name: String
PermissionsMode: String
Tags:
- Tag
Updated 10 months ago