AWS Database Blog

How to use deletion protection to enhance your Amazon DynamoDB table protection strategy

Authorized Amazon DynamoDB users can perform actions against tables using the AWS Management Console, API, AWS CLI/SDK, or AWS CloudFormation. One of many possible operations that authorized users can perform is deleting a table. During the course of regular table management operations, authorized users might accidentally delete a table. Accidental deletion of a table can lead to temporary disruption in business operations until the table is recovered from backup storage, which can potentially take several hours for large tables.

In our previous blog post, Use guardrails to protect DynamoDB tables, we described how you can use AWS Identity and Access Management (IAM) policies to restrict access to DynamoDB tables and thereby help prevent accidental deletion by applying least-privilege principles.

Along with IAM policies, customers have asked for explicit table-level deletion protection to help protect their tables and maintain organizational compliance. In this post, you learn how to use the newly announced Deletion Protection feature to help prevent accidental deletion of tables.

Explicit per-table deletion protection

The newly announced Deletion Protection feature enables you to protect tables from accidental deletion during regular DynamoDB maintenance operations. You can use deletion protection to set whether a table can or cannot be deleted during regular maintenance operations. This flexibility helps ensure that mission-critical tables are protected from deletion.

You can use the DynamoDB console, API, AWS CLI/SDK, or CloudFormation templates to turn on deletion protection. Deletion protection is off by default to avoid impacting your existing workflows or external scripts. The most important benefit is the ability to control and enforce preventative measures for accidental table deletion, thereby helping to maintain continuity of your business operations.

Prerequisites

The examples in this post assume that you have an AWS account and have the necessary administrator privileges to create and modify a DynamoDB table (CreateTable and UpdateTable).

To turn on deletion protection for a new table

  1. Open the DynamoDB console.
  2. Choose Create Table.
  3. After entering the required table details (for example, name and partition key), choose Customize settings.
  4. Under Deletion protection, select Turn on deletion protection to enable deletion protection at the table level.
Figure 1: Turn on deletion protection for a new table

Figure 1: Turn on deletion protection for a new table

To turn on deletion protection for an existing table

  1. Open the DynamoDB console.
  2. In the navigation pane, select Tables, and then select Update settings.
  3. Select the table to update and then select the Additional settings tab.
  4. Under Deletion protection, choose Turn on.

Note: You can use the same steps to turn off deletion protection.

Figure 2: Turn on deletion protection for an existing table

Figure 2: Turn on deletion protection for an existing table

Note: You can bulk turn on or turn off deletion protection by selecting multiple tables in the console.

Figure 3: Bulk enable deletion protection

Figure 3: Bulk enable deletion protection

To view deletion protection status for all tables in an account

  1. Open the DynamoDB console.
  2. Select Tables from the navigation pane.
  3. View the status in the Deletion protection column.
Figure 4: View deletion protection status in the console

Figure 4: View deletion protection status in the console

Conclusion

In this post, you learned how to use the Deletion Protection feature to help prevent accidental deletion of tables. Reviewing and evaluating the risks associated with your existing DynamoDB tables is the first step in determining for which tables to turn on deletion protection. You can also read about the latest AWS Backup features for DynamoDB, which help you centrally manage and automate DynamoDB data protection.

We encourage you to try the Deletion Protection feature. If you have any feedback, leave a comment below.


About the authors

Ashwin Venkatesh is a Senior Product Manager for Amazon DynamoDB at Amazon Web Services, and is based out of Santa Clara, California. With 25+ years in product management and technology roles, Ashwin has a passion for engaging with customers to understand business use cases, defining strategy, working backwards to define new features that deliver long-term customer value, and having deep-dive discussions with technology peers. Outside work, Ashwin enjoys travel, sports and family events.

Anup Sivadas is a Principal Solutions Architect at Amazon Web Services and is based out of Arlington, Virginia. With 18 + years in technology, Anup enjoys working with AWS customers and helps them craft highly scalable, performing, resilient, secure, sustainable and cost-effective cloud architectures. Outside work, Anup’s passion is to travel and explore the nature with his family.

Randy DeFauw is a Senior Principal Solutions Architect at AWS. He holds an MSEE from the University of Michigan, where he worked on computer vision for autonomous vehicles. He also holds an MBA from Colorado State University. Randy has held a variety of positions in the technology space, ranging from software engineering to product management. In entered the Big Data space in 2013 and continues to explore that area. He is actively working on projects in the ML space and has presented at numerous conferences including Strata and GlueCon.