Enable DynamoDB Point-in-time Recovery

Violation ID: BC_AWS_GENERAL_6

Ensure DynamoDB Point-in-time Recovery (backup) is Enabled


DynamoDB point-in-time recovery (PITR) is an automatic backup service for DynamoDB table data. Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.


Point-in-time recovery helps protect your DynamoDB tables from accidental write or delete operations. It can be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Automated Remediation

Runtime Resource


Buildtime Resource


Resource: AWS::DynamoDB::Table
Property: PointInTimeRecoverySpecification

Type: AWS::DynamoDB::Table
TableName: ${self:custom.iotCatalogTable}
PointInTimeRecoveryEnabled: true


Resource: aws_dynamodb_table
Argument: point_in_time_recovery - (Optional) Point-in-time recovery options.

resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "GameTitle"
+ point_in_time-recovery {
   enabled = true

Manual Remediation

Runtime Resource


To change the policy using the AWS Console, follow these steps:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the DynamoDB console.
  3. Navigate to your desired DynamoDB table, select the Backups tab.
  4. To turn the feature on, click Enable.
  5. Within a few seconds the Earliest restore date and Latest restore date should be visible.

CLI Command

To update continuous backup settings for a DynamoDB table:

aws dynamodb update-continuous-backups \
    --table-name MusicCollection \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Updated about a month ago

Enable DynamoDB Point-in-time Recovery

Violation ID: BC_AWS_GENERAL_6

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.