Terraform Deletion Protection Disabled Dynamodb

Description

Identifies AWS DynamoDB tables configured in Terraform that do not have deletion protection enabled. When deletion protection is disabled, tables can be accidentally deleted, potentially resulting in data loss and service disruption.

Weakness:

259 - Lack of protection against deletion - DynamoDB

Category: Functionality Abuse

Detection Strategy

• Scan Terraform configuration files for 'aws_dynamodb_table' resource declarations

• Check if the deletion_protection_enabled attribute is missing or set to false

• Report a vulnerability if a DynamoDB table resource is found without deletion protection enabled

Vulnerable code example

resource "aws_dynamodb_table" "vulnerable_table" {
  name           = "my-table"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "id"

  deletion_protection_enabled = false  # Vulnerable: Explicitly disables deletion protection
...

✅ Secure code example

resource "aws_dynamodb_table" "secure_table" {
  name           = "my-table"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "id"

  deletion_protection_enabled = true  # Secure: Enables deletion protection to prevent accidental deletion
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.