Json Yaml Missing Deletion Protection Dynamodb

Description

Detects AWS DynamoDB tables defined in CloudFormation templates that do not have deletion protection enabled. Without deletion protection, DynamoDB tables can be accidentally or maliciously deleted, potentially resulting in data loss and service disruption.

Weakness:

259 - Lack of protection against deletion - DynamoDB

Category: Functionality Abuse

Detection Strategy

• Scans CloudFormation template files for DynamoDB table resource definitions

• Identifies resources with Type 'AWS::DynamoDB::Table'

• Checks if the table definition is missing deletion protection settings

• Reports a vulnerability if a DynamoDB table resource lacks proper deletion protection configuration

Vulnerable code example

SampleTable:
  Type: AWS::DynamoDB::Table
  Properties:
    TableName: "my-table"
    BillingMode: PAY_PER_REQUEST
    DeletionProtectionEnabled: false  # Vulnerable: Explicitly disables deletion protection
    AttributeDefinitions:
      - AttributeName: id...

✅ Secure code example

SampleTable:
  Type: AWS::DynamoDB::Table
  Properties:
    TableName: "my-table"
    BillingMode: PAY_PER_REQUEST
    DeletionProtectionEnabled: true  # Enable deletion protection to prevent accidental deletion
    SSESpecification:
      SSEEnabled: true  # Enable server-side encryption for data at rest...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.