Deletion Protection with Tags

Automatically tag AWS resources to enable deletion protection and prevent accidental resource deletion.

Overview

Tag-based deletion protection allows you to prevent accidental deletion of critical resources by using tags to identify protected resources. TagOps automatically applies and maintains deletion protection tags, ensuring critical resources remain protected even if tags are manually removed.

What TagOps Can Do

TagOps can automatically tag AWS resources with deletion protection tags:

  • Automatic Tagging: TagOps rules automatically apply deletion protection tags like DeletionProtection: Enabled or Protected: True to resources when they are created or discovered
  • Tag Restoration: If a deletion protection tag is manually removed from a resource, TagOps will automatically restore it based on your configured rules, ensuring continuous protection
  • Conditional Protection: Create rules to protect only specific resources (e.g., production resources, critical databases, or resources matching certain criteria)
  • Environment-Based Protection: Use different tag values for different environments to enable separate protection policies (e.g., DeletionProtection: Production, DeletionProtection: Development)
  • Service-Specific Protection: Tag specific resource types (RDS databases, DynamoDB tables, S3 buckets, etc.) with deletion protection tags based on your requirements
  • Consistent Coverage: Ensure all critical resources have deletion protection tags, preventing accidental deletion

Example TagOps Rule

Create a TagOps rule to automatically tag resources for deletion protection:

  • Condition: Resource type is rds:db and tag Environment equals Production
  • Action: Add tag DeletionProtection: Enabled

TagOps will automatically apply this tag to production RDS databases. If the tag is manually removed, TagOps will restore it based on your rule configuration.

Additional Protection with SCPs

For extra protection beyond TagOps tag restoration, you can use AWS Organizations Service Control Policies (SCPs) to enforce deletion protection at the organization level:

SCP Example - Prevent Deletion of Protected Resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyDeletionOfProtectedResources",
            "Effect": "Deny",
            "Action": [
                "rds:DeleteDBInstance",
                "dynamodb:DeleteTable",
                "s3:DeleteBucket"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/DeletionProtection": "Enabled"
                }
            }
        }
    ]
}

This SCP prevents deletion of resources tagged with DeletionProtection: Enabled, providing an additional layer of protection. TagOps ensures the tag is always present, while the SCP enforces the protection policy.

Additional Resources