---
title: "Deletion protection and Backup resources"
section: "build-a-backend/add-aws-services"
platforms: ["javascript", "react-native", "angular", "nextjs", "react", "vue"]
gen: 2
last-updated: "2024-11-19T20:21:50.000Z"
url: "https://docs.amplify.aws/react/build-a-backend/add-aws-services/deletion-backup-resources/"
---

> **Warning:** Deleting a Amplify sandbox with a resource enabled with deletion protection, the deploy process will fail and the resource will need to be manually deleted on the AWS console.

Using the [AWS Cloud Development Kit (CDK)](https://docs.aws.amazon.com/cdk/latest/guide/home.html) we can configure Amplify generated resource to enable deletion protection and backups on supported resources. For example, you can use AWS CDK to enable [Point-in-time recovery for DynamoDB tables](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html), or use [AWS Backup](https://aws.amazon.com/backup/) as a advanced backup option.

Using underlying CDK construct properties you can modify resource configurations. This allows you to customize backend resources beyond what is offered via the `define*` functions.

## Enabling deletion protection on a Auth resource

For example, if you would like to enable deletion protection on a Cognito user pool resource created by Amplify Auth.

```ts title="amplify/backend.ts"
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';

const backend = defineBackend({
  auth,
  data
});

// highlight-start
const { cfnUserPool } = backend.auth.resources.cfnResources
cfnUserPool.deletionProtection = "ACTIVE";
// highlight-end
```

## Enabling Deletion protection on a Data resource

For example, if you would like to enable Deletion protection on all DynamoDB tables created by GraphQL API.

```ts title="amplify/backend.ts"
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';

const backend = defineBackend({
  auth,
  data
});

// highlight-start
const { amplifyDynamoDbTables } = backend.data.resources.cfnResources;
for (const table of Object.values(amplifyDynamoDbTables)) {
  table.deletionProtectionEnabled = true;
}
// highlight-end
```

## Enabling Point-in-time recovery for DynamoDB tables

For example, enabling Point-in-time recovery for all the DynamoDB tables created by GraphQL API. By default Point-in-Time recovery retains backups for 35 days.

```ts title="amplify/backend.ts"
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';

const backend = defineBackend({
  auth,
  data
});

// highlight-start
const { amplifyDynamoDbTables } = backend.data.resources.cfnResources;
for (const table of Object.values(amplifyDynamoDbTables)) {
  table.pointInTimeRecoveryEnabled = true;
}
// highlight-end
```

## Enabling Backups for DynamoDB tables

For example, if your DynamoDB tables requires backups that extend the default 35 days point-in-time recovery, AWS Backup service can be utilized to centralize and automate backups for DynamoDB tables. 
The example below outlines a backup plan configured to run daily at midnight, for all DynamoDB tables. 

```ts title="amplify/backend.ts"
import { defineBackend } from "@aws-amplify/backend";
// highlight-start
import {
  BackupPlan,
  BackupPlanRule,
  BackupResource,
  BackupVault,
} from "aws-cdk-lib/aws-backup";
import { Schedule } from "aws-cdk-lib/aws-events";
import { Duration } from "aws-cdk-lib/core";
// highlight-end
import { auth } from "./auth/resource";
import { data } from "./data/resource";

const backend = defineBackend({
  auth,
  data,
});

// highlight-start
const backupStack = backend.createStack("backup-stack");
const myTables = Object.values(backend.data.resources.tables);

const vault = new BackupVault(backupStack, "BackupVault", {
  backupVaultName: "backup-vault",
});

const plan = new BackupPlan(backupStack, "BackupPlan", {
  backupPlanName: "backup-plan",
  backupVault: vault,
});

plan.addRule(
  new BackupPlanRule({
    deleteAfter: Duration.days(60),
    ruleName: "backup-plan-rule",
    scheduleExpression: Schedule.cron({
      minute: "0",
      hour: "0",
      day: "*",
      month: "*",
      year: "*",
    }),
  })
);

plan.addSelection("BackupPlanSelection", {
  resources: myTables.map((table) => BackupResource.fromDynamoDbTable(table)),
  allowRestores: true,
});
// highlight-end
```

## Retaining resources on stack deletion

For example, if you would like to retain a resource on stack deletion, you can use the `applyRemovalPolicy` property on the resource to add a retention policy.

<Callout>

`ampx sandbox delete` ignores any resource removal policy and always deletes all resources.

</Callout>

```ts title="amplify/backend.ts"
import { defineBackend } from "@aws-amplify/backend";
import { auth } from "./auth/resource";
import { data } from "./data/resource";
import { RemovalPolicy } from "aws-cdk-lib";
import { storage } from "./storage/resource";

const backend = defineBackend({
  auth,
  data,
  storage,
});

// highlight-start
// Retain the S3 bucket on stack deletion
backend.storage.resources.bucket.applyRemovalPolicy(RemovalPolicy.RETAIN);

// Retain the Cognito user pool on stack deletion
backend.auth.resources.userPool.applyRemovalPolicy(RemovalPolicy.RETAIN);

// Retain the DynamoDB table on stack deletion
backend.data.resources.cfnResources.amplifyDynamoDbTables["Todo"].applyRemovalPolicy(RemovalPolicy.RETAIN);
// highlight-end
```
