DynamoDB table has deletion protection enabled
dynamodb_table_deletion_protection_enabled
DynamoDB tables have deletion protection enabled via the deletion protection setting, meaning delete operations require this setting to be disabled first
Risk
Without deletion protection, tables can be removed by authorized actions or misconfigured automation, causing irrecoverable data loss and service outage. This impacts integrity and availability, and increases the blast radius of compromised credentials or mistaken runbooks.
prowler aws --checks dynamodb_table_deletion_protection_enabled
Recommendation
Enable deletion protection on critical tables.
- Enforce least privilege to restrict who can modify this setting
- Require change control to disable it before planned deletes
- Combine with PITR and backups for defense in depth
- Use automation to make this the default for new tables
Remediation
aws dynamodb update-table --table-name <TABLE_NAME> --deletion-protection-enabled
- Open the AWS Management Console and go to DynamoDB
- Select the table
- Choose Additional settings
- Enable Deletion protection
- Save changes
Source Code
Resource Type
AwsDynamoDbTable