Ensure Amazon DynamoDB tables have continuous backups enabled
Continuous Backups in DynamoDB will prevent from loss of data and the features will include Global secondary indexes (GSIs), Local secondary indexes (LSIs), Streams, Provisioned read and write capacity. Restored table items are consistent with LSI projections and eventually consistent with GSI projections.
Risk Level: High
Cloud Entity: Amazon DynamoDB
CloudGuard Rule ID: D9.AWS.DR.04
Category: Database
GSL LOGIC
DynamoDbTable should have continuousBackups.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus='ENABLED'
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the DynamoDB console.
- In the navigation pane on the left side of the console, choose Tables.
- In the list of tables, choose the table you want to update backups
- Click on the Backups tab of the table,
- Click on edit tab under 'Point-in-time recovery (PITR)' section.
- Checkmark on 'Enable point-in-time-recovery' and click save changes.
From TF
resource "aws_dynamodb_table" "example" {
point_in_time_recovery {
enabled = true
}
other required fields here
}
From Command Line
The following command update-continuous-backups enables point-in-time recovery for specific table.
aws dynamodb update-continuous-backups --table-name EXAMPLE_NAME --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
References
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/update-continuous-backups.html
Amazon DynamoDB
Amazon DynamoDB is a fast and flexible nonrelational database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS Security Risk Management
Updated over 1 year ago