Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · DynamoDB

DynamoDB.6: DynamoDB tables should have deletion protection

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub DynamoDB.6 check?

DynamoDB.6 checks that a table has deletion protection enabled. It reports FAILED when the table can be deleted without first disabling a protection flag.

Why does DynamoDB.6 matter?

Deletion protection guards against an irreversible mistake — a fat-fingered CLI call, a runaway script or an IaC change that destroys a production table. Table deletion is permanent, so even with backups in place the protection flag removes the single most damaging accidental action.

How do I fix DynamoDB.6?

  1. Audit which tables lack deletion protection.
  2. Enable it in place with a single non-destructive update-table call setting DeletionProtectionEnabled to true.
  3. Update your infrastructure-as-code so the tool that owns the table definition does not flip it back off.
  4. Add a pipeline check so new tables ship with protection on.

Remediation script · bash

# Enable deletion protection on every unprotected standalone RDS instance in a region.
for id in $(aws rds describe-db-instances \
  --query 'DBInstances[?DeletionProtection==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --deletion-protection --apply-immediately
  echo "Protected RDS instance: $id"
done

# Termination-protect every production-tagged CloudFormation stack (eyeball the list first).
aws cloudformation describe-stacks \
  --query "Stacks[?Tags[?Key=='Environment' && Value=='production']].StackName" \
  --output text | tr '\t' '\n' | while read -r stack; do
  aws cloudformation update-termination-protection \
    --stack-name "$stack" --enable-termination-protection
  echo "Protected stack: $stack"
done

# Deletion-protect a production load balancer.
aws elbv2 modify-load-balancer-attributes --load-balancer-arn "$LB_ARN" \
  --attributes Key=deletion_protection.enabled,Value=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable deletion and termination protection.

Is DynamoDB.6 a false positive?

If Terraform or CloudFormation owns the table, enabling protection only in the console will be reverted on the next apply — set it in the IaC definition too.

Full lesson Enable deletion and termination protection Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for DynamoDB controls ↗ Check your own account for DynamoDB.6 →
Part of the learning path Lock down access

More DynamoDB controls

  • DynamoDB.1 DynamoDB tables should auto-scale capacity
  • DynamoDB.2 DynamoDB tables should have PITR
  • DynamoDB.3 DAX clusters should be encrypted at rest
  • DynamoDB.4 DynamoDB tables should be in a backup plan
  • DynamoDB.7 DAX clusters should be encrypted in transit