Ensure all DynamoDB tables are included in a backup plan for data recovery (RC)
Rule | DynamoDB tables should be in a backup plan |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Medium |
Rule Description:
DynamoDB tables should be included in a backup plan as part of NIST Cybersecurity Framework (CSF) v1. Regularly backing up DynamoDB tables helps ensure data availability and recoverability in the event of accidental deletion, data corruption, or other unexpected incidents.
Troubleshooting Steps:
If there are any issues with the backup plan for DynamoDB tables, follow these troubleshooting steps to identify and resolve them:
Verify IAM Permissions: Ensure that the IAM role used to create or manage the backup plan has the necessary permissions to access and perform operations on DynamoDB tables. The IAM role should have
dynamodb:CreateBackup
, dynamodb:DeleteBackup
, dynamodb:ListBackups
, and dynamodb:RestoreTableFromBackup
permissions.Check Backup Plan Configuration: Review the backup plan configuration to ensure that the correct DynamoDB tables are included and scheduled for backups. Make sure the frequency of backups aligns with the business requirements and data retention policies.
Monitor Backup Status: Monitor the status of backups to identify any failed or incomplete backups. Check the AWS Management Console, CloudWatch logs, or use AWS CLI commands to retrieve backup status information.
Validate Backup Files: Verify the integrity and completeness of backup files. You can restore a backup to a new table or DynamoDB On-Demand backup to validate its contents.
Test Restores: Perform periodic restoration tests to ensure the recoverability of your DynamoDB tables. By restoring a backup to a separate table, you can verify that the restored data is accurate and functional.
Necessary Codes:
There are no specific codes required for this rule. However, you may need to use the following AWS CLI commands for troubleshooting or remediation purposes:
aws backup create-backup-plan
aws backup list-backups
aws backup restore-table-from-backup
Refer to the AWS Backup documentation for more detailed information on using these commands.
Step-by-Step Guide for Remediation:
Follow these steps to ensure DynamoDB tables are included in the backup plan as per NIST Cybersecurity Framework (CSF) v1:
Identify the DynamoDB tables that require backup. Prioritize critical and sensitive tables that contain important data.
Verify IAM permissions: Ensure that you have the necessary IAM permissions to create or manage backup plans for DynamoDB. If not, contact your AWS account administrator to grant the required permissions.
Create a backup plan: Use the AWS Management Console or AWS CLI to create a backup plan. Specify the frequency, retention period, and other configurations according to your organization's backup requirements. Make sure to include the identified DynamoDB tables in the backup plan.
Verify backup execution: Monitor the execution of the backup plan and ensure that it runs successfully. Check the backup status to confirm that the DynamoDB tables are being backed up according to the configured schedule.
Validate backup files: If needed, restore a backup to a new table or use DynamoDB On-Demand backup to validate the contents of the backup files. This step helps ensure that the backups are accurate and complete.
Test restores: Periodically perform restoration tests by restoring backups to a separate table. Validate the restored data's accuracy and functionality to ensure recoverability during unforeseen situations.
Regularly review and update backup plans: As your DynamoDB table landscape evolves, review and update the backup plan accordingly. Add new tables or modify existing ones as required.
By following these steps, you can ensure that DynamoDB tables are included in a backup plan as per NIST Cybersecurity Framework (CSF) v1, effectively protecting your data and ensuring its availability in case of any incidents.