DynamoDB tables Point in Time Recovery should be enabled

Description

Point in Time Recovery should be enabled on DynamoDB tables. If an organization allows AWS to automatically back up DDB data, AWS takes on the risk of handling it and the organization can limit its own backup storage.

Remediation Steps

AWS Console

  • Navigate to DynamoDB.

  • In the left navigation, select Tables.

  • Select the desired table and in the Overview section, Enable Point-in-time recovery. Click Enable.

AWS CLI

  • Confirm that point-in-time recovery is enabled by using the describe-continuous-backups command.

aws dynamodb describe-continuous-backups \
  --table-name tablename
  • Restore the table to a point in time.

aws dynamodb restore-table-to-point-in-time \
  --source-table-name tablename \
  --target-table-name tablename2 \
  --use-latest-restorable-time
  • To verify the restore, use the describe-table command to describe the table:

    • aws dynamodb describe-table --table-name tablename

CloudFormation

JSON

{
  "Properties" : {
    "PointInTimeRecoverySpecification" : {
      "PointInTimeRecoveryEnabled" : true
    }
  }
}
JSON Example Configuration
{
  "Type" : "AWS::DynamoDB::Table",
  "Properties" : {
    "PointInTimeRecoverySpecification" : {
      "PointInTimeRecoveryEnabled" : true
      }
    }
  # other required fields here
}

YAML

Properties:
  PointInTimeRecoverySpecification:
    PointInTimeRecoveryEnabled: true
YAML Example Configuration
Type: AWS::DynamoDB::Table
Properties:
  PointInTimeRecoverySpecification:
    PointInTimeRecoveryEnabled: true
# other required fields here

Terraform

  • Ensure that the aws_dynamodb_table point_in_time_recovery block has the enabled field set to “true”.

Example Configuration

resource "aws_dynamodb_table" "example" {
  point_in_time_recovery {
    enabled = true
  }
  # other required fields here
}