Rule: DynamoDB table should be protected by backup plan
This rule ensures that DynamoDB tables are safeguarded by a backup plan for data protection.
| Rule | DynamoDB table should be protected by backup plan |
| Framework | GxP EU Annex 11 |
| Severity | ✔ High |
DynamoDB Backup Plan for GxP EU Annex 11 Compliance
Rule Description:
To ensure compliance with GxP EU Annex 11 regulations, it is essential to protect the data stored in your DynamoDB tables by implementing a well-defined backup plan. This backup plan will help safeguard critical information, provide data availability in case of accidental data loss or corruption, and allow for efficient recovery from any potential disasters.
Troubleshooting Steps:
In most cases, troubleshooting steps are not required for backup plan implementation. However, if you encounter any issues while setting up or managing the backup plan, you can refer to the following steps:
- 1.Verify access permissions: Ensure that you have sufficient AWS Identity and Access Management (IAM) permissions to create and manage backup plans for DynamoDB tables.
- 2.Check DynamoDB table status: Confirm that your DynamoDB table is in the ACTIVE state, as the backup plan can only be applied to active tables.
- 3.Review AWS CLI configuration: If you are using the AWS Command Line Interface (CLI) for managing the backup plan, double-check that your CLI is properly configured with the required access keys and region settings.
- 4.Check available backup resources: If you are encountering issues with backup creation, verify that you have enough storage capacity and appropriate AWS service limits in your account.
Necessary Codes:
In order to implement a backup plan for your DynamoDB table, you can use the following code snippet as a reference. Please replace the placeholders (e.g.,
your-table-nameaws backup create-backup-plan \ --backup-plan **your-backup-plan-name** \ --rules '{"RuleName": "DynamoDB-Backup", "TargetBackupVaultName": "your-backup-vault-name", "ScheduleExpression": "cron(0 0 * * ? *)", "StartWindowMinutes": 120, "CompletionWindowMinutes": 600, "Lifecycle": {"MoveToColdStorageAfterDays": 30, "DeleteAfterDays": 90}, "RecoveryPointTags": {"Environment": "Production"}}' \ --backup-plan-tags '{"Application": "MyApp"}' aws backup create-backup-selection \ --backup-plan-id **your-backup-plan-id** \ --backup-selection '{"SelectionName": "DynamoDB-Selection", "IamRoleArn": "your-iam-role-arn", "Resources": ["arn:aws:dynamodb:**your-region**:**your-account-id**:table/your-table-name"]}'
Steps for Backup Plan Implementation:
1. Create a Backup Vault:
- Open the AWS Management Console and navigate to the AWS Backup service.
- Click on "Create a backup vault."
- Provide a unique name for your backup vault, such as "GxP-EU-Annex11-Backup-Vault."
- Choose the appropriate settings for encryption and IAM role.
- Click on "Create backup vault" to finalize the creation.
2. Define Backup Plan:
- In the AWS Backup service console, click on "Create backup plan" or use the AWS CLI mentioned above.
- Provide a significant name for your backup plan, like "GxP-EU-Annex11-Backup-Plan."
- Specify a valid cron expression in the
parameter to define the frequency of backups.ScheduleExpression - Adjust the
andStartWindowMinutes
as needed for your environment.CompletionWindowMinutes - Configure the desired number of days for moving backups to cold storage and for deletion in the
section.Lifecycle - Add appropriate recovery point tags for better organization and identification of backups.
- Finish the backup plan creation process by clicking on "Create backup plan" or using the AWS CLI.
3. Select DynamoDB Table for Backup:
- In the AWS Backup service console, click on "Backup plans" and select your newly created backup plan.
- Click on "Add backup selection."
- Enter a descriptive name for the backup selection, such as "DynamoDB-Selection."
- Provide the IAM role ARN with the necessary permissions to access DynamoDB and backups.
- Specify the DynamoDB table's ARN in the
field.Resources - Save the backup selection.
4. Validate and Monitor Backups:
- The backup plan will automatically start creating backups based on the defined schedule.
- Monitor the backups' status in the AWS Backup service console.
- Ensure that backups are being created regularly without any errors or delays.
- Periodically review the backup vault's storage utilization and manage backups according to business requirements.
By following these steps and implementing a backup plan for your DynamoDB table, you will comply with GxP EU Annex 11 regulations and ensure the availability and protection of your critical data.