Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DynamoDB Backup and Restore

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: DynamoDB-005

Ensure that your Amazon DynamoDB tables are using the on-demand backup and restore feature for data protection and archival purposes, and help you meet regulatory requirements within your organization. Along with data, Global Secondary Indexes (GSIs), Local Secondary Indexes (LSIs), streams and provisioned read/write capacity are also included in the table backups. The backup/restore process does not consume any provisioned capacity and has no impact on the performance and availability of your DynamoDB applications.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

With Amazon DynamoDB on-demand backup and restore functionality you can protect your DynamoDB data from loss due to application errors and retain it for regulatory compliance purposes.


Audit

To determine if your Amazon DynamoDB tables are using the on-demand backup and restore functionality to perform data backups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the DynamoDB table that you want to examine.

05 Select the Backups tab to access the backup settings available for the selected table.

06 In the Backups section, check for any on-demand backups created for the selected DynamoDB table. The Backups section should list backups created with both Amazon DynamoDB and AWS Backup. If there are no backups listed in the Backups section and the console displays the following status message: No backups, the selected Amazon DynamoDB table is not using the On-Demand Backup and Restore feature to perform table backups. If one or more backups are listed in the Backups section, check the Status column to determine the resource state. If Status is not set to Available, the selected Amazon DynamoDB table is unable to use the On-Demand Backup and Restore feature.

07 Repeat steps no. 4 – 6 for each Amazon DynamoDB table available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon DynamoDB table created in the selected AWS cloud region:

aws dynamodb list-tables
  --region us-east-1
  --output table
  --query 'TableNames'

02 The command output should return a table with the requested table name(s):

--------------------------
|       ListTables       |
+------------------------+
|  cc-product-reviews    |
|  cc-product-inventory  |
+------------------------+ 

03 Run describe-table command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to examine as the identifier and custom query filters to describe the Amazon Resource Name (ARN) of the selected table:

aws dynamodb describe-table 
  --region us-east-1 
  --table-name cc-product-reviews 
  --query 'Table.TableArn'

04 The command output should return the DynamoDB table ARN:

"arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews"

05 Run list-recovery-points-by-resource command (OSX/Linux/UNIX) using the ARN of the Amazon DynamoDB table that you want to examine as the identifier parameter, to describe the information available for each data backup created for the selected table. The command output returns information about table backups created with both Amazon DynamoDB and AWS Backup:

aws backup list-recovery-points-by-resource 
  --region us-east-1 
  --resource-arn arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews 
  --query 'RecoveryPoints'

06 The command output should return an array with the backup information such as backup ARN, current status, and creation date:

[]

If the list-recovery-points-by-resource command output returns an empty array (i.e. []), as shown in the output example above, there are no backups created for your table, therefore the selected Amazon DynamoDB table is not using the On-Demand Backup and Restore feature to perform backups. If the command output returns information about one or more backups, check the "Status" attribute value to determine the resource state. If the "Status" value is not "COMPLETED", the selected Amazon DynamoDB table is not able to use the On-Demand Backup and Restore feature.

07 Repeat steps no. 3 - 6 for each DynamoDB table available in the selected AWS region.

08 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To make use of Amazon DynamoDB On-Demand Backup and Restore functionality, you need to create full table backups and restore them when needed. The following section demonstrates how to create and restore an existing table in order to use the on-demand backup and restore feature:

Using AWS Console

01 If the backup advanced features are not displayed, select Go to backup settings and choose Turn on from the Backup settings section. Choose Turn on features to enable advanced features such as cross-account copy, cross-region copy, cost allocation tags, and cold storage tiering. If the backup advanced features are enabled, skip this step.

02 Back on the Create on-demand backup setup page, ensure that your DynamoDB table is listed in the Source table box.

03 In the Backup settings section, choose whether to use the default settings provided by Amazon DynamoDB or to customize backup settings to fit your requirements. For custom backup settings, choose the backup management service that you want to use for your on-demand backups (DynamoDB or AWS Backup). If you choose Amazon DynamoDB for backup management, provide a unique name for your on-demand backup in the Backup name box. If you choose AWS Backup service for backup management, you can configure advanced settings such as backup window, transition to cold storage, retention period, the backup vault used for storage, and the IAM role required for backup operations.

04 (Optional) In the Tags - optional section, choose Add new tag to create tag sets for your new backup resource.

05 Choose Create backup to create a one-time snapshot backup of your DynamoDB table.

06 In the Backups section, choose Create backup, and select Create on-demand backup to initiate the backup process. ';/'

07 On the Create on-demand backup page, perform the following actions:

  1. If the backup advanced features are not displayed, select Go to backup settings and choose Turn on from the Backup settings section. Choose Turn on feature to enable advanced features such as cross-account copy, cross-region copy, cost allocation tags, and cold storage tiering. If the backup advanced features are enabled, skip this step.
  2. Select the DynamoDB table that you want to back up from the Source table box.
  3. In the Backup settings section, choose whether to use the default settings provided by DynamoDB or to customize backup settings to fit your requirements. For custom backup settings, choose the backup management service that you want to use for your on-demand backups. If you choose Amazon DynamoDB for backup management, provide a unique name for your on-demand backup in the Backup name box. If you choose AWS Backup service for backup management, you can configure advanced settings such as backup window, transition to cold storage, retention period, the backup vault used for storage, and the IAM role required for backup operations.
  4. (Optional) In the Tags - optional section, choose Add new tag to create tag sets for your new resource.
  5. Choose Create backup to create a one-time snapshot backup of your DynamoDB table.

08 To restore your on-demand backup, select your new table backup from the Backups section, and choose Restore.

09 On the Restore table from backup page, provide a unique name for your new DynamoDB table in the Name of restored table box, configure secondary indexes, table destination regions, encryption settings, and select the IAM role required for backup restore, then choose Restore to initiate the backup restore process. Once the process is finished, the status of the selected table should change from Restoring to Active.

10 Repeat steps no. 4 – 9 for each Amazon DynamoDB table that you want to back up, available in the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-backup command (OSX/Linux/UNIX) to create a full, on-demand backup from your Amazon DynamoDB table. Along with data, global secondary indexes (GSIs), local secondary indexes (LSIs), streams, and provisioned read and write capacity is also included on the backup:

aws dynamodb create-backup
  --region us-east-1
  --table-name cc-product-reviews
  --backup-name cc-product-reviews-backup

02 The output should return the **create-backup** command request information:

{
	"BackupDetails": {
		"BackupCreationDateTime": 1704295959.415,
		"BackupArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews/backup/01234567890123-aabbccdd",
		"BackupStatus": "CREATING",
		"BackupName": "cc-product-reviews-backup"
	}
}

03 To restore the backup created at the previous step, run restore-table-from-backup command (OSX/Linux/UNIX) using the ARN of your backup as the identifier parameter to create a new DynamoDB table from your on-demand table backup:

aws dynamodb restore-table-from-backup
  --region us-east-1
  --target-table-name cc-new-product-reviews
  --backup-arn arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews/backup/01234567890123-aabbccdd

04 The command output should return the information available for the new DynamoDB table:

{
	"TableDescription": {
		"TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-new-product-reviews",
		"RestoreSummary": {
			"SourceTableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/ cc-product-reviews",
			"SourceBackupArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews/backup/01234567890123-aabbccdd",
			"RestoreDateTime": 1704295959.415,
			"RestoreInProgress": true
		},
		"ProvisionedThroughput": {
			"NumberOfDecreasesToday": 0,
			"WriteCapacityUnits": 5,
			"ReadCapacityUnits": 5
		},
		"ItemCount": 0,
		"CreationDateTime": 1704295959.049
	}
}

05 Repeat steps no. 1 – 4 for each Amazon DynamoDB table that you want to back up, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References