DynamoDB table should have deletion protection enabled¶
This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled.
How to fix¶
Attribute deletion_protection_enabled of aws_dynamodb_table must be true.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Open source module (terraform-aws-modules)¶
If you use terraform-aws-modules/dynamodb-table/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "dynamodb_table" {
source = "terraform-aws-modules/dynamodb-table/aws"
version = ">=5.0.0"
attributes = [
{
name = "id"
type = "S"
}
]
hash_key = "id"
name = "abc123"
deletion_protection_enabled = true
}
Option 2: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_dynamodb_table.
resource "aws_dynamodb_table" "this" {
attribute {
name = "id"
type = "S"
}
billing_mode = "PAY_PER_REQUEST"
hash_key = "id"
name = "pofix-example-table"
deletion_protection_enabled = true
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
dynamodb_table_deletion_protection_enabledAWS Config Managed Rule:
DYNAMODB_TABLE_DELETION_PROTECTION_ENABLEDPowerpipe Control:
aws_compliance.control.dynamodb_table_deletion_protection_enabled