Rule: DynamoDB Table Should Be Protected by Backup Plan
This rule ensures that DynamoDB tables are protected by a backup plan.
| Rule | DynamoDB table should be protected by backup plan |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Overview of FedRAMP Moderate Revision 4 Compliance for DynamoDB Backups
FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 sets forth a series of security controls for cloud services used by federal agencies. To ensure that a DynamoDB table is compliant with these regulations, it must be protected by a backup plan that meets specific criteria.
Compliance Rule Details
In terms of DynamoDB tables, the following details are mandated for FedRAMP Moderate compliance with respect to backups:
- 1.Continuous backups must be enabled.
- 2.Point-in-time recovery (PITR) should be active to allow for restoration of data to any second within the last 35 days.
- 3.Backups should be encrypted at rest using appropriate encryption methods.
- 4.Regular testing of backup and restore procedures should be conducted to ensure data integrity.
- 5.Backup data should be retained as per the regulatory period defined by FedRAMP.
Troubleshooting DynamoDB Backup Issues
Common Backup Problems:
- PITR not enabled.
- Backups are failing to complete.
- Backup data is not encrypted.
Troubleshooting Steps:
- 1.
Check PITR Status:
- Ensure PITR is enabled on all DynamoDB tables.
- 2.
Backup Completion:
- Investigate CloudWatch logs for any errors during backup processes.
- Check for sufficient IAM permissions for the backup operation.
- 3.
Encryption Verification:
- Verify that the AWS KMS key is correctly configured and that the encryption is applied to the backups.
Necessary AWS CLI Commands
Enable PITR:
aws dynamodb update-continuous-backups \ --table-name YourDynamoDBTableName \ --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
Verify PITR Status:
aws dynamodb describe-continuous-backups \ --table-name YourDynamoDBTableName
Enable Encryption:
aws dynamodb create-table \ --table-name YourDynamoDBTableName \ --sse-specification Enabled=true
Alternatively, for existing tables:
aws dynamodb update-table \ --table-name YourDynamoDBTableName \ --sse-specification Enabled=true
Step by Step Guide for Remediation
- 1.
Enable Continuous Backups and PITR:
- Use the AWS Management Console or AWS CLI to enable continuous backups and PITR using the command provided earlier.
- 2.
Encryption at Rest:
- Ensure encryption at rest using AWS KMS keys is activated for the DynamoDB table.
- 3.
Backup Retention Configuration:
- Check and set the retention period for backups as per FedRAMP requirements.
- 4.
Test Backup and Recovery:
- Regularly schedule and perform test recoveries to ensure that the backup process works as expected.
- 5.
Review and Audit:
- Periodically review the backup plan to ensure compliance with FedRAMP standards.
- 6.
Documentation and Compliance Evidence:
- Maintain detailed documentation regarding the backup plan, configurations, and testing results.
In summary, for your DynamoDB table to be protected by a backup plan compliant with FedRAMP Moderate Revision 4, continuous backups and PITR must be enabled, encryption at rest must be configured, and you should frequently test and document these measures. Follow the steps outlined using the AWS CLI where applicable, and ensure proper monitoring and auditing practices.