Ensure DynamoDB PITR is enabled

Error: DynamoDB PITR is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_6
Checkov Check ID: CKV_AWS_28
Severity: HIGH

DynamoDB PITR is disabled

Description

DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations. Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters. PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon DynamoDB console.
  3. Navigate to the desired DynamoDB table, then select the Backups tab.
  4. To turn the feature on, click Enable.
    The Earliest restore date and Latest restore date are visible within a few seconds.

CLI Command

To update continuous backup settings for a DynamoDB table:

aws dynamodb update-continuous-backups \
    --table-name MusicCollection \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Fix - Buildtime

Terraform

  • Resource: aws_dynamodb_table
  • Argument: point_in_time_recovery - (Optional) Point-in-time recovery options.
resource "aws_dynamodb_table" "example" {
  ...
  name           = "GameScores"
+ point_in_time_recovery {
+   enabled = true
+  }
  ...
}

CloudFormation / Serverless

  • Resource: AWS::DynamoDB::Table
  • Property: PointInTimeRecoverySpecification
Resources:
    iotCatalog:
      Type: AWS::DynamoDB::Table 
      Properties:
        ...
        PointInTimeRecoverySpecification:
+         PointInTimeRecoveryEnabled: true