Skip to main content
MEDIUMDynamoDBReliability

DynamoDB Deletion Protection Disabled

dynamodb-deletion-protection-disabled

What this rule checks

Detects DynamoDB tables without deletion protection, which can be destroyed by an accidental stack update or delete.

How to fix it

  1. 1Set DeletionProtectionEnabled to true on production tables
  2. 2Use CloudFormation DeletionPolicy: Retain as defence in depth
FlaggedThe table has no deletion protection, so an accidental stack update or delete can destroy it and its data.
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';

new dynamodb.CfnTable(this, 'Table', {
  keySchema: [{ attributeName: 'pk', keyType: 'HASH' }],
  attributeDefinitions: [{ attributeName: 'pk', attributeType: 'S' }],
  billingMode: 'PAY_PER_REQUEST',
});
FixeddeletionProtectionEnabled: true blocks deletion of the table until the flag is explicitly removed.
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';

new dynamodb.CfnTable(this, 'Table', {
  keySchema: [{ attributeName: 'pk', keyType: 'HASH' }],
  attributeDefinitions: [{ attributeName: 'pk', attributeType: 'S' }],
  billingMode: 'PAY_PER_REQUEST',
  deletionProtectionEnabled: true,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::DynamoDB::Table

Compliance frameworks

SOC2NIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate — a genuinely public endpoint, say. You can dismiss dynamodb-deletion-protection-disabled and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "dynamodb-deletion-protection-disabled", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::dynamodb-deletion-protection-disabled',
  reason: 'Why this is intentional',
});

Use the rule ID dynamodb-deletion-protection-disabled shown above — not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs →

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app — free, no account, your code never leaves your machine.

More DynamoDB rules