diff --git a/infrastructure/modules/dynamodb/dynamodb.tf b/infrastructure/modules/dynamodb/dynamodb.tf
index 6f8f39a80..4730d2f8d 100644
--- a/infrastructure/modules/dynamodb/dynamodb.tf
+++ b/infrastructure/modules/dynamodb/dynamodb.tf
@@ -2,6 +2,7 @@ resource "aws_dynamodb_table" "dynamodb_table" {
   name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.table_name_suffix}"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = var.partition_key
+  deletion_protection_enabled = var.environment == "prod"
 
   attribute {
     name = var.partition_key
diff --git a/infrastructure/stacks/networking/vpc.tf b/infrastructure/stacks/networking/vpc.tf
index a3ad8a04d..e88ce7894 100644
--- a/infrastructure/stacks/networking/vpc.tf
+++ b/infrastructure/stacks/networking/vpc.tf
@@ -21,3 +21,8 @@ resource "aws_default_security_group" "default_vpc" {
     }
   )
 }
+
+# EC2.172 - block internet gateway access at the account level
+resource "aws_vpc_block_public_access_options" "default_vpc" {
+  internet_gateway_block_mode = "block-bidirectional"
+}