Profile Applicability:
- Level 1
Description:
DynamoDB Deletion Protection is a feature that prevents accidental or unauthorized deletion of critical DynamoDB tables. When enabled, it ensures that the table cannot be deleted unless the deletion protection is explicitly disabled. This feature adds an extra layer of security for important tables by preventing accidental data loss due to misconfiguration or unauthorized access.
Rationale:
Data Protection: Enabling deletion protection safeguards against accidental table deletions, ensuring that critical data is not lost unintentionally.
Operational Continuity: Preventing table deletion helps to ensure that critical applications relying on the data remain operational without the risk of data loss.
Compliance: Certain regulatory frameworks and compliance standards require the use of deletion protection to prevent accidental deletion of important data, ensuring that no critical data is permanently lost.
Impact:
Pros:
Accidental Deletion Prevention: Helps to prevent unintentional deletion of important tables.
Increased Data Protection: Adds an extra layer of security for high-priority data stored in DynamoDB tables.
Compliance: Helps to meet compliance requirements where data protection and table retention are necessary.
Cons:
Operational Limitation: In rare cases, deletion protection may complicate administrative tasks if deletion is necessary, requiring extra steps to disable the protection.
Administrative Overhead: Management of deletion protection for all tables may require extra operational processes.
Default Value:
By default, deletion protection is disabled for DynamoDB tables. It must be explicitly enabled for each table that requires protection.
Pre-requisite:
AWS IAM Permissions:
dynamodb:DescribeTable
dynamodb:UpdateTable
AWS CLI installed and configured.
DynamoDB Table created or in the process of being created.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to DynamoDB under Services.
In the DynamoDB Console, go to Tables.
Select the table you want to check.
In the Table details section, check if Deletion Protection is enabled.
If enabled, the table will display "Deletion Protection: Enabled".
If disabled, you can enable it through the Modify Table option.
Using AWS CLI:
To check if Deletion Protection is enabled for a specific DynamoDB table, run:
aws dynamodb describe-table --table-name <table-name> --query "Table.DeletionProtectionEnabled"
If the result is true, deletion protection is enabled. If the result is false, deletion protection is not enabled.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to DynamoDB.
Select Tables and choose the table for which you want to enable Deletion Protection.
In the Table details, click on Modify Table.
Under the Deletion Protection setting, enable it by selecting Enable Deletion Protection.
Save the changes to apply deletion protection.
Using AWS CLI:
To enable Deletion Protection for a DynamoDB table, run:
aws dynamodb update-table --table-name <table-name> --deletion-protection-enabled
Verify the status of deletion protection by running the describe-table command:
aws dynamodb describe-table --table-name <table-name> --query "Table.DeletionProtectionEnabled"
Backout Plan:
Using AWS Console:
If enabling deletion protection causes issues, sign in to the AWS Management Console.
Navigate to DynamoDB, select the table, and go to Edit settings.
Disable deletion protection and save the changes.
Using AWS CLI:
To disable deletion protection, run the following command:
aws dynamodb update-table --table-name <TABLE_NAME> --no-deletion-protection-enabled --region <REGION>
Verify that deletion protection is now disabled by describing the table again:
aws dynamodb describe-table --table-name <TABLE_NAME> --region <REGION>