DynamoDB Table Deletion Protection

Overview

This check verifies that your Amazon DynamoDB tables have deletion protection enabled. Deletion protection is a safety feature that prevents tables from being accidentally deleted during routine management operations.

Risk

Without deletion protection, a DynamoDB table could be accidentally deleted by:

• A user with sufficient permissions making an unintended delete request
• Misconfigured automation or scripts
• Compromised credentials being used maliciously

Table deletion results in permanent data loss and potential service disruptions. Enabling deletion protection adds a safeguard that requires explicitly disabling the feature before a table can be deleted.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify DynamoDB tables, or
• AWS CLI configured with appropriate credentials

AWS Console Method

1. Open the DynamoDB console
2. In the left navigation, click Tables
3. Select the table you want to protect
4. Click the Additional settings tab
5. In the Deletion protection section, click Edit
6. Check the box for Enable deletion protection
7. Click Save changes

AWS CLI

To enable deletion protection on an existing table:

aws dynamodb update-table \
    --table-name <TABLE_NAME> \
    --deletion-protection-enabled \
    --region us-east-1

Replace <TABLE_NAME> with your actual table name.

To verify the setting was applied:

aws dynamodb describe-table \
    --table-name <TABLE_NAME> \
    --region us-east-1 \
    --query 'Table.DeletionProtectionEnabled'

This should return true.

CloudFormation

Add the DeletionProtectionEnabled property to your DynamoDB table resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: DynamoDB table with deletion protection enabled

Parameters:
  TableName:
    Type: String
    Description: Name of the DynamoDB table
    Default: my-protected-table

Resources:
  DynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Ref TableName
      BillingMode: PAY_PER_REQUEST
      DeletionProtectionEnabled: true
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH

Outputs:
  TableArn:
    Description: ARN of the DynamoDB table
    Value: !GetAtt DynamoDBTable.Arn

Terraform

Set deletion_protection_enabled = true on your DynamoDB table resource:

resource "aws_dynamodb_table" "example" {
  name                        = "example-table"
  billing_mode                = "PAY_PER_REQUEST"
  hash_key                    = "id"
  deletion_protection_enabled = true

  attribute {
    name = "id"
    type = "S"
  }
}

For existing tables managed by Terraform, add the deletion_protection_enabled = true argument and run terraform apply.

Verification

After enabling deletion protection:

1. In the DynamoDB console, navigate to your table and check the Additional settings tab
2. Confirm that Deletion protection shows as Enabled

CLI verification

aws dynamodb describe-table \
    --table-name <TABLE_NAME> \
    --region us-east-1 \
    --query 'Table.DeletionProtectionEnabled'

Expected output: true

Additional Resources

• AWS Documentation: Using deletion protection
• AWS DynamoDB Best Practices
• Prowler Check Documentation

Notes

• Deletion protection does not prevent data modification. It only prevents the table itself from being deleted. You should still use IAM policies to control who can read and write data.
• Disabling protection requires an explicit action. To delete a protected table, you must first disable deletion protection, then delete the table in a separate operation.
• Consider layering with other protections. Enable Point-in-Time Recovery (PITR) and/or on-demand backups for comprehensive data protection.
• Automate for new tables. Consider enforcing deletion protection as a default for all new tables using Service Control Policies (SCPs) or infrastructure-as-code templates.