Enable DynamoDB Point-in-time Recovery

Violation ID: BC_AWS_GENERAL_6

Ensure DynamoDB Point-in-time Recovery (backup) is Enabled

Description

DynamoDB point-in-time recovery (PITR) is an automatic backup service for DynamoDB table data. Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.

Rationale

Point-in-time recovery helps protect your DynamoDB tables from accidental write or delete operations. It can be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Automated Remediation

Runtime Resource

n/a

Buildtime Resource

Serverless/CloudFormation

Resource: AWS::DynamoDB::Table
Property: PointInTimeRecoverySpecification

resources:
Resources:
iotCatalog:
Type: AWS::DynamoDB::Table
Properties:
TableName: ${self:custom.iotCatalogTable}
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true

Terraform

Resource: aws_dynamodb_table
Argument: point_in_time_recovery - (Optional) Point-in-time recovery options.

resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "GameTitle"
+ point_in_time-recovery {
   enabled = true
  }
}

Manual Remediation

Runtime Resource

Procedure

To change the policy using the AWS Console, follow these steps:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the DynamoDB console.
  3. Navigate to your desired DynamoDB table, select the Backups tab.
  4. To turn the feature on, click Enable.
  5. Within a few seconds the Earliest restore date and Latest restore date should be visible.

CLI Command

To update continuous backup settings for a DynamoDB table:

aws dynamodb update-continuous-backups \
    --table-name MusicCollection \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Updated about a month ago


Enable DynamoDB Point-in-time Recovery


Violation ID: BC_AWS_GENERAL_6

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.