Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Deletion Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon DynamoDB tables have Deletion Protection feature enabled in order to protect them from being accidentally deleted.

Security
Reliability

With Deletion Protection safety feature enabled, you have the guarantee that your Amazon DynamoDB tables can't be accidentally deleted and make sure that your data remains safe. Deletion protection prevents any existing or new tables from being deleted by any users through the AWS Management Console, AWS CLI, or AWS API calls, unless the feature is explicitly disabled within the table configuration.

Audit

To determine if your Amazon DynamoDB tables are protected against accidental deletion, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to examine.

05 Select the Additional settings tab to access the additional settings available for the selected table.

06 In the Deletion protection section, check the Deletion protection configuration setting. If Deletion protection is set to Off, the Deletion Protection safety feature is not enabled for the selected Amazon DynamoDB table.

07 Repeat steps no. 4 – 6 for each Amazon DynamoDB table available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon DynamoDB table created in the selected AWS cloud region: 

aws dynamodb list-tables
  --region us-east-1
  --output table
  --query 'TableNames'

02 The command output should return a table with the requested table name(s): 

--------------------------
|       ListTables       |
+------------------------+
|  cc-product-reviews    |
|  cc-product-inventory  |
+------------------------+

03 Run describe-table command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to examine as the identifier parameter and custom query filters to return the Deletion Protection feature status for the selected table: 

aws dynamodb describe-table 
  --region us-east-1 
  --table-name cc-product-reviews 
  --query 'Table.DeletionProtectionEnabled'

04 The command output should the feature status for the selected table: 

false

If the describe-table command output returns false, as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Amazon DynamoDB table.

05 Repeat steps no. 3 and 4 for each DynamoDB table available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Deletion Protection feature for your existing Amazon DynamoDB tables, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to configure.

05 Select the Additional settings tab to access the additional settings available for the selected table.

06 Choose Turn on from the Deletion protection section to initiate the process.

07 In the Turn on deletion protection confirmation box, choose Confirm to enable the Deletion Protection safety feature for the selected Amazon DynamoDB table.

08 Repeat steps no. 4 – 7 for each Amazon DynamoDB table that you want to configure, available in the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-table command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to configure as the identifier parameter, to enable the Deletion Protection safety feature for the selected DynamoDB table: 

aws dynamodb update-table 
  --region us-east-1 
  --table-name cc-product-reviews 
  --deletion-protection-enabled

02 The command output should return the configuration information available for the selected table: 

{
	"TableDescription": {
		"TableName": "cc-product-reviews",
		"TableStatus": "ACTIVE",
		"CreationDateTime": "2024-01-05T11:14:28.373000+00:00",
		"ProvisionedThroughput": {
			"NumberOfDecreasesToday": 0,
			"ReadCapacityUnits": 0,
			"WriteCapacityUnits": 0
		},
		"TableSizeBytes": 520500,
		"ItemCount": 12,
		"TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews",
		"TableId": "ancd1234-abcd-1234-abcd-1234abcd1234",
		"BillingModeSummary": {
			"BillingMode": "PAY_PER_REQUEST",
			"LastUpdateToPayPerRequestDateTime": "2024-01-05T11:14:28.373000+00:00"
		},
		"TableClassSummary": {
			"TableClass": "STANDARD"
		},
		"DeletionProtectionEnabled": true
	}
}

03 Repeat steps no. 1 and 2 for each Amazon DynamoDB table that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jan 11, 2024

Related DynamoDB rules