How do I turn on accidental delete protection for my DynamoDB tables?

4 minute read
0

I want to turn on accidental delete protection for my Amazon DynamoDB table to safeguard my data.

Short description

To help prevent the unintentional deletion of DynamoDB tables, you can use the delete protection feature. When this feature is turned on, you must give your explicit delete confirmation before the table can be deleted. You can also use resource-based policies for additional protection of your DynamoDB table.

To turn on delete protection, use one of the following methods:

  • DynamoDB console
  • AWS Command Line Interface (AWS CLI)
  • AWS SDK

Resolution

Use the DynamoDB console to turn on delete protection

  1. Sign in to the AWS Management Console.
  2. Open the Amazon DynamoDB console.
  3. In the navigation pane, choose Tables.
  4. Select the table that you want to turn on accidental delete protection for, and then choose the table name to open the table details.
  5. In the Table details section, choose Additional Settings.
  6. Under Deletion protection, choose the Turn On setting.
  7. Choose Save.

Use the AWS CLI to turn on delete protection

To use the AWS CLI to turn on delete protection for a DynamoDB table, run the following command:

aws dynamodb update-table \
    --table-name my-table \
    --deletion-protection-enabled

Note: Replace my-table with the name of your DynamoDB table.

Use the AWS SDK to turn on delete protection

You can also use the AWS SDK to programmatically turn on delete protection. The following example uses the AWS SDK for Python (Boto3):

import boto3

# Create a DynamoDB client
dynamodb = boto3.client('dynamodb')

# Set the table name
table_name = 'my-table'

# Enable delete protection
try:
    response = dynamodb.update_table(
        TableName=table_name,
        DeletionProtectionEnabled=True
    )
    print(f'Delete protection enabled for table {table_name}')
except Exception as e:
    print(f'Error enabling delete protection: {e}')

Note: Replace 'my-table' with the name of your DynamoDB table.

When you try to delete the table, you see the following error message:

"An error occurred (ValidationException) when calling the DeleteTable operation: Resource cannot be deleted as it is currently protected against deletion. Disable deletion protection first."

Note: To successfully delete the table, you must turn off delete protection.

Additional best practices

To further guard your DynamoDB tables from accidental deletion, review the following best practices.

Resource-based policy usage

Use resource-based policies to specify AWS Identity and Access Management (IAM) principals to access resources and define allowed actions. When you create a resource-based policy, attach a sample policy at the DynamoDB table level. In the following example, the policy includes an explicit deny for dynamodb:DeleteTable actions for all IAM entities except for Admin. If an IAM entity with full access tries to delete the table, then the action is denied.

Example resource-based policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "dynamodb:DeleteTable"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:xxxxx:table/donotdeletetable"
      ],
      "Condition": {
        "ForAnyValue:ArnNotEquals": {
          "aws:PrincipalArn": "arn:aws:iam::xxxxx:role/Admin"
        }
      }
    }
  ]
}

Example error message:

"Your delete table request encountered issues. User: arn:aws:sts::xxxxx:assumed-role/dynamodbfullaccessrole/database-admin is not authorized to perform: dynamodb:DeleteTable on resource: arn:aws:dynamodb:us-east-1:xxxx:table/donotdeletetable with an explicit deny in a resource-based policy."

Service control policies

AWS Organizations can use service control policies (SCPs) with attribute-based access control (ABAC) to restrict the delete table operation at the organizational level. You can configure an SCP policy to prevent users from deleting tables tagged with key-value pairs, such as production. For this configuration, you must remove the associated tag before you can delete the table. This configuration lets administrators mitigate the risk of accidental deletions across their organizations.

Example SCP with ABAC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": [
        "dynamodb:DeleteTable"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:xxxxx:table/donotdeletetable"
      ],
      "Condition": {
        "ForAnyValue:StringEqualsIfExists": {
          "aws:ResourceTag/environment": "production"
        }
      }
    }
  ]
}

Example error message:

"Your delete table request encountered issues. User: arn:aws:sts::xxxx:assumed-role/Admin/dbadmin is not authorized to perform: dynamodb:DeleteTable on resource: arn:aws:dynamodb:us-east-1:xxxx:table/donotdeletetablewithtags with an explicit deny in a service control policy."

Related information

Using On-Demand backup and restore for DynamoDB

Security and compliance in Amazon DynamoDB

Best practices for designing and architecting with DynamoDB

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago