AWS QLDB ledger has deletion protection is disabled
Description
Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database for cryptographically verifiable transaction logging. You can use the QLDB API or the AWS Command Line Interface (AWS CLI) to create, update, and delete ledgers in Amazon QLDB. You can also list all the ledgers in your account, or get information about a specific ledger. Deletion protection is enabled by default. To successfully delete this resource via Terraform, deletion_protection = false must be applied before attempting deletion. In CloudFormation the flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled (true) by default.
Code Example
go
resource "aws_qldb_ledger" "sample-ledger" {
name = "sample-ledger"
permissions_mode = "STANDARD"
+ deletion_protection = true
}Remediation
Terraform
- Resource: aws_qldb_ledger
- Arguments: deletion_protection
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0221 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_172 |