An organization uses an IAM group DatabaseAdmin to manage administrative access to its database services.
What is the best way to prevent accidental deletion of an Amazon RDS Database?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because AWS RDS natively supports delete protection.
It can be turned on for databases that have this requirement.
Option B is incorrect because AWS RDS natively supports delete protection.
It can be turned on for databases that have this requirement.
Option C is incorrect because AWS RDS natively supports delete protection.
It can be turned on for databases that have this requirement.
Option D is incorrect because AWS RDS natively supports delete protection.
It can be turned on for databases that have this requirement.
Reference:
https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/The best way to prevent accidental deletion of an Amazon RDS database when using an IAM group DatabaseAdmin is to create a resource-based inline policy with an explicit deny on the rds:DeleteDBInstance action and attach it to the RDS database. Answer B is the correct answer.
Explanation: AWS Identity and Access Management (IAM) allows the creation of policies to manage and control access to AWS services and resources. IAM policies can be attached to users, groups, and roles, and can be either managed policies or inline policies.
Answer A is incorrect because enabling deletion protection on the RDS database only prevents the database from being deleted, it does not prevent accidental deletion by an authorized user.
Answer C is incorrect because creating an inline policy with explicit deny on the rds:DeleteDBInstance action and attaching it to the users of the DatabaseAdmin group can prevent accidental deletion, but it would not prevent accidental deletion by a user outside the group who has been granted access to the RDS database.
Answer D is incorrect because creating an IAM policy with explicit deny on the rds:DeleteDBInstance action and attaching it to the DatabaseAdmin group can prevent accidental deletion, but it would apply to all RDS databases, not just the specific RDS database that the group is managing.
Therefore, the best way to prevent accidental deletion of an Amazon RDS database is to create a resource-based inline policy with explicit deny on the rds:DeleteDBInstance action and attach it to the RDS database. This will only apply to the specific RDS database being managed by the DatabaseAdmin group and will prevent accidental deletion by any user who has been granted access to the database.