Rule: DynamoDB Table Should Be Protected by Backup Plan
This rule ensures that DynamoDB tables have a backup plan for protection.
| Rule | DynamoDB table should be protected by backup plan |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
DynamoDB Backup Plan for CISA Cyber Essentials Compliance
Overview
Ensuring DynamoDB tables are protected with a comprehensive backup plan is crucial for maintaining data integrity and availability. This is especially significant for compliance with the Cyber Essentials outlined by the Cybersecurity & Infrastructure Security Agency (CISA). A backup plan fortifies your data against accidental deletions, data corruption, and malicious attacks.
Backup Rule Details
Rule Description
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. For CISA cyber essentials, DynamoDB tables must have a backup plan that includes:
- Regularly scheduled backups
- On-demand backups
- Monitoring of backup and restore operations
- Secure storage of backup data
- Easy and reliable recovery processes
Rule Importance
Regular backups help in recovering critical data in case of loss due to various reasons such as human error, application errors, and malicious activities. Compliance with the CISA cyber essentials ensures that an organization is taking necessary steps to protect its data from cyber threats.
Troubleshooting Steps
If backup plans are not functioning properly, consider the following troubleshooting steps:
- 1.Check IAM roles and policies to ensure they have permissions for DynamoDB backups.
- 2.Verify that AWS Backup service is correctly configured.
- 3.Inspect CloudWatch logs for errors during the scheduled backups.
- 4.Confirm that the DynamoDB table's point-in-time recovery (PITR) is enabled.
- 5.Review the status of on-demand backups in the AWS Backup dashboard.
Code Snippets and CLI Commands
Enable PITR Using AWS CLI
aws dynamodb update-continuous-backups \ --table-name YOUR_TABLE_NAME \ --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
Replace
YOUR_TABLE_NAMECreate an On-Demand Backup using AWS CLI
aws dynamodb create-backup \ --table-name YOUR_TABLE_NAME \ --backup-name YOUR_BACKUP_NAME
Replace
YOUR_TABLE_NAMEYOUR_BACKUP_NAMECreate a Backup Plan Using AWS Backup
Using AWS Backup, a centralized backup plan can be created to manage backups across AWS services.
- 1.Navigate to AWS Backup console.
- 2.Click on "Create a backup plan" and select a predefined plan or build a custom one.
- 3.Define backup rules, including frequency and retention period.
- 4.Assign resources by tagging or selecting them directly.
- 5.Review and create the backup plan.
Monitoring and Alerts with Amazon CloudWatch
You can create monitoring and alerting for backup-related events using Amazon CloudWatch.
- 1.Go to the CloudWatch console.
- 2.Navigate to Rules and create a new rule for backup events.
- 3.Define the target, such as an SNS topic or a Lambda function, for notification.
Step-by-Step Guide for Remediation
Step 1: Verify Backup Configuration
Check that the DynamoDB tables have backups configured properly with the necessary retention period as per the compliance requirements.
Step 2: Enable PITR
Ensure Point-In-Time Recovery is enabled to provide continuous backups and allow for restoration to any second in the last 35 days.
Step 3: Schedule Regular Backups
Set up a regular backup schedule using AWS Backup to create frequent backups.
Step 4: Monitor Backup Activity
Set up monitoring and alerting in CloudWatch for backup and restore operations to ensure you are immediately aware of any failures.
Step 5: Test Recovery Process
Regularly test recovery by restoring backups to a test environment to ensure that the data integrity and recovery process meets the required RTOs and RPOs.
By following these steps, your DynamoDB tables will adhere to a robust backup plan that aligns with CISA’s cyber essentials, enhancing your data protection strategy and compliance posture.