Rule: DynamoDB Table Point-In-Time Recovery Enabled
This rule ensures that DynamoDB table point-in-time recovery is enabled for data protection and integrity.
| Rule | DynamoDB table point-in-time recovery should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
DynamoDB table point-in-time recovery for NIST 800-53 Revision 5
Description:
DynamoDB is a fully managed NoSQL database service provided by AWS. It allows you to store and retrieve any amount of data, serving millions of requests per second. DynamoDB provides a feature called point-in-time recovery (PITR), which allows you to restore your table to any given second within a specific 35-day window. For compliance with NIST 800-53 Revision 5, it is recommended to enable point-in-time recovery for DynamoDB tables.
Enabling point-in-time recovery helps protect against accidental deletion or corruption of data, as well as provides a way to recover from application errors or other issues that may affect the integrity of the table.
Troubleshooting Steps:
If you encounter any issues or have trouble enabling point-in-time recovery for a DynamoDB table, follow these troubleshooting steps:
- 1.
Ensure that you have the necessary IAM permissions to enable PITR for DynamoDB tables. You should have the
anddynamodb:UpdateTimeToLive
permissions.dynamodb:DescribeContinuousBackups - 2.
Check if the table already has PITR enabled. You can do this by using the AWS CLI command:
aws dynamodb describe-continuous-backups --table-name <table_name>If the command returns a response with
for the given table, PITR is already enabled.PointInTimeRecoveryDescription - 3.
If PITR is not enabled, check if the table is in the ACTIVE state. PITR can only be enabled for tables in the ACTIVE state. You can use the following AWS CLI command to check the status:
aws dynamodb describe-table --table-name <table_name> | grep TableStatusIf the output shows "TableStatus: ACTIVE", proceed to the next step. If not, wait until the table becomes ACTIVE and then continue.
- 4.
Enable point-in-time recovery for the DynamoDB table using the following AWS CLI command:
aws dynamodb update-continuous-backups --table-name <table_name> --point-in-time-recovery-specification PointInTimeRecoveryEnabled=TrueReplace
with the name of your DynamoDB table.<table_name> - 5.
After enabling point-in-time recovery, you can verify its status by running the describe-continuous-backups command again:
aws dynamodb describe-continuous-backups --table-name <table_name>The response should now indicate that point-in-time recovery is enabled for the table.
Applicable AWS CLI Commands:
Describe Continuous Backups:
aws dynamodb describe-continuous-backups --table-name <table_name>Describe Table:
aws dynamodb describe-table --table-name <table_name>Update Continuous Backups:
aws dynamodb update-continuous-backups --table-name <table_name> --point-in-time-recovery-specification PointInTimeRecoveryEnabled=True
Replace
<table_name>Remediation Steps:
To enable point-in-time recovery for a DynamoDB table, please follow these steps:
- 1.
Log in to your AWS Management Console.
- 2.
Go to the DynamoDB service.
- 3.
Select the desired table from the list.
- 4.
In the table details page, click on the "Continuous backups" tab.
- 5.
Check if "Point in time recovery" is already enabled. If it is, no action is required.
- 6.
If point-in-time recovery is not enabled, click on the "Edit" button.
- 7.
Enable the "Point in time recovery" option.
- 8.
Click on the "Save" button to apply the changes.
- 9.
Wait for a few minutes for the changes to take effect.
Note:
Enabling point-in-time recovery for DynamoDB tables may incur additional costs, as backups are stored separately. Please refer to the AWS DynamoDB pricing page for more information on pricing details.