Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: DynamoDB Table Should be Protected by Backup Plan

This rule ensures that DynamoDB table is protected by a backup plan.

RuleDynamoDB table should be protected by backup plan
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
High

Ensure DynamoDB Table is Protected by Backup Plan for NIST CSF v1

Overview

Under the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), maintaining robust data backup practices is critical for enhancing an organization's resilience against data loss. DynamoDB, as a managed NoSQL database service provided by AWS, necessitates protection through periodic backups. This supports the framework's goal to maintain the integrity and availability of information.

Rule Description

This policy dictates that all Amazon DynamoDB tables must have a backup plan in place, which aligns with the NIST CSF requirement for maintaining data integrity and recoverability.

Troubleshooting Steps

If you have DynamoDB tables without backups, perform the following steps:

1. Verify Backup Status

First, check whether there are any backups present for each DynamoDB table. This can be done using AWS Management Console or via AWS CLI.

For AWS CLI:

aws dynamodb list-backups --table-name YOUR_TABLE_NAME

Replace

YOUR_TABLE_NAME
with the name of your DynamoDB table.

2. Analyze Backup Configuration

If backups are present, verify that they are configured to run as per the organization's data retention policy and Recovery Point Objectives (RPOs).

Remediation Steps

To ensure compliance with the NIST CSF v1, you should automate the backup process.

Option 1: Enable AWS Backup

aws backup create-backup-plan --backup-plan '{
    "BackupPlanName": "DynamoDBBackupPlan",
    "Rules": [{
        "RuleName": "DailyBackup",
        "TargetBackupVaultName": "Default",
        "ScheduleExpression": "cron(0 5 ? * * *)",
        "StartWindowMinutes": 480,
        "CompletionWindowMinutes": 10080,
        "RecoveryPointTags": {
            "string": "string"
        },
        "Lifecycle": {
            "MoveToColdStorageAfterDays": 30,
            "DeleteAfterDays": 365
        },
        "CopyActions": [{
            "Lifecycle": {
                "MoveToColdStorageAfterDays": 30,
                "DeleteAfterDays": 365
            },
            "DestinationBackupVaultArn": "arn:aws:backup:us-east-1:123456789012:vault:exampleBackupVault"
        }],
        "EnableContinuousBackup": false
    }]
}'

This code snippet will create a new backup plan where the

ScheduleExpression
is set to perform a backup daily at 5 AM UTC.

Option 2: Enable Point-In-Time Recovery (PITR)

aws dynamodb update-continuous-backups --table-name YOUR_TABLE_NAME --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Replace

YOUR_TABLE_NAME
with the name of your DynamoDB table.

Enable continuous backups for DynamoDB table using the AWS CLI. PITR provides continuous backups of the DynamoDB table data for the last 35 days.

Backup Verification

After setting up the backup plan, you should regularly verify if the backups are successfully completed as scheduled.

Additional Notes

Maintaining backups and aligning with NIST CSF is not just about data protection but also contributes to a strategic cybersecurity stance. Regularly review and test your backup and recovery process to ensure they meet current business requirements. Comprehensive backups are a key part of a multi-layered defense strategy and are critical to the recovery process in the event of data corruption or loss.

Is your System Free of Underlying Vulnerabilities?
Find Out Now