DynamoDB Continuous Backups

Risk Level: High (not acceptable risk)

Rule ID: DynamoDB-003

Ensure that Amazon DynamoDB tables make use of Point-in-time Recovery (PITR) feature in order to automatically take continuous backups of your DynamoDB data. The DynamoDB cloud service can back up your data with per-second granularity and restore it to any single second from the time PITR was enabled up to the prior 35 days. DynamoDB continuous backups represent an additional layer of insurance against accidental loss of data on top of on-demand backups. The data restored using the Point-in-time Recovery feature includes Global Secondary Indexes (GSIs) and Local Secondary Indexes (LSIs).

This rule can help you with the following compliance standards:

NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Once enabled, Amazon DynamoDB continuous backups, powered by the Point-in-time Recovery (PITR) feature, can help you protect your DynamoDB data against accidental writes or deletes. With DynamoDB continuous backups, you don't have to worry about creating, maintaining, or scheduling on-demand backups.

Audit

To determine if continuous backups are enabled for your Amazon DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under DynamoDB, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to examine.

05 Select the Backups tab to access the backup settings available for the selected table.

06 In the Point-in-time recovery (PITR) section, check the Status configuration attribute value. If the Status attribute value is set to Off, the Point-in-time Recovery (PITR) feature is not currently enabled, therefore the selected Amazon DynamoDB table is not configured to take continuous backups.

07 Repeat steps no. 4 – 6 for each Amazon DynamoDB table available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon DynamoDB table created in the selected AWS region:

aws dynamodb list-tables
  --region us-east-1
  --output table
  --query 'TableNames'

02 The command output should return a table with the requested table name(s):

--------------------------
|       ListTables       |
+------------------------+
|  cc-product-reviews    |
|  cc-product-inventory  |
+------------------------+

03 Run describe-continuous-backups command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as the identifier parameter and custom query filters to determine the Point-in-time Recovery (PITR) feature status set for the selected table:

aws dynamodb describe-continuous-backups
  --region us-east-1
  --table-name cc-product-reviews
  --query "ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus"

04 The command output should return the status of the PITR feature:

"DISABLED"

If the describe-continuous-backups command output returns "DISABLED", as shown in the output example above, the Point-in-time Recovery (PITR) feature is not enabled, therefore the selected Amazon DynamoDB table is not configured to take continuous backups.

05 Repeat steps no. 3 and 4 for each DynamoDB table provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To make use of Point-in-time Recovery (PITR) feature and enable continuous backups for all your Amazon DynamoDB tables, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Continuous Backups with Point-in-time Recovery",
	"Resources": {
		"AWSDynamoDBTable" : {
			"Type" : "AWS::DynamoDB::Table",
			"Properties" : {
				"TableName" : "cc-game-scores",
				"BillingMode" : "PROVISIONED",
				"PointInTimeRecoverySpecification" : {
					"PointInTimeRecoveryEnabled" : true
				},
				"AttributeDefinitions" : [
					{
						"AttributeName" : "UserId",
						"AttributeType" : "S"   
					},
					{
						"AttributeName" : "GameTitle",
						"AttributeType" : "S"
					},
					{
						"AttributeName" : "TopScore",
						"AttributeType" : "N"
					}
				],
				"KeySchema" : [
					{
						"AttributeName" : "UserId",
						"KeyType" : "HASH"
					},
					{
						"AttributeName" : "GameTitle",
						"KeyType" : "RANGE"
					}
				],
				"ProvisionedThroughput" : {
					"ReadCapacityUnits" : "5",
					"WriteCapacityUnits" : "5"
				},
				"GlobalSecondaryIndexes" : [
					{
						"IndexName" : "GameTitleIndex",
						"KeySchema" : [
							{
								"AttributeName" : "GameTitle",
								"KeyType" : "HASH"
							},
							{
								"AttributeName" : "TopScore",
								"KeyType" : "RANGE"
							}
						],
						"Projection" : {
							"NonKeyAttributes" : ["Album","UserId"],
							"ProjectionType" : "INCLUDE"
						},
						"ProvisionedThroughput" : {
							"ReadCapacityUnits" : "5",
							"WriteCapacityUnits" : "5"
						}
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Enable Continuous Backups with Point-in-time Recovery
    Resources:
        AWSDynamoDBTable:
        Type: AWS::DynamoDB::Table
        Properties:
            TableName: cc-game-scores
            BillingMode: PROVISIONED
            PointInTimeRecoverySpecification:
            PointInTimeRecoveryEnabled: true
            AttributeDefinitions:
            - AttributeName: UserId
                AttributeType: S
            - AttributeName: GameTitle
                AttributeType: S
            - AttributeName: TopScore
                AttributeType: N
            KeySchema:
            - AttributeName: UserId
                KeyType: HASH
            - AttributeName: GameTitle
                KeyType: RANGE
            ProvisionedThroughput:
            ReadCapacityUnits: '5'
            WriteCapacityUnits: '5'
            GlobalSecondaryIndexes:
            - IndexName: GameTitleIndex
                KeySchema:
                - AttributeName: GameTitle
                    KeyType: HASH
                - AttributeName: TopScore
                    KeyType: RANGE
                Projection:
                NonKeyAttributes:
                    - Album
                    - UserId
                ProjectionType: INCLUDE
                ProvisionedThroughput:
                ReadCapacityUnits: '5'
                WriteCapacityUnits: '5'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_dynamodb_table" "aws-dynamodb-table" {

	name           = "cc-game-scores"
	billing_mode   = "PROVISIONED"
	read_capacity  = 5
	write_capacity = 5
	hash_key       = "UserId"
	range_key      = "GameTitle"

	attribute {
		name = "UserId"
		type = "S"
	}

	attribute {
		name = "GameTitle"
		type = "S"
	}

	attribute {
		name = "TopScore"
		type = "N"
	}

	global_secondary_index {
		name               = "GameTitleIndex"
		hash_key           = "GameTitle"
		range_key          = "TopScore"
		write_capacity     = 5
		read_capacity      = 5
		projection_type    = "INCLUDE"
		non_key_attributes = ["UserId"]
	}

	# Enable Continuous Backups with Point-in-time Recovery (PITR)
	point_in_time_recovery {
		enabled = true
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under DynamoDB, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to configure.

05 Select the Backups tab to access the backup settings available for the selected table.

06 In the Point-in-time recovery (PITR) section, choose Edit to change the PITR feature configuration settings.

07 Select the Turn on point-in-time-recovery checkbox to enable the Point-in-time Recovery (PITR) feature and turn on continuous backups for the selected Amazon DynamoDB table. Once the feature is enabled, you should be able to see the Earliest restore point and Latest restore point attributes with the appropriate values. You can now restore your DynamoDB table data to any point in time within the earliest restore date, specified by Earliest restore point and the latest restorable date time, specified by Latest restore point.

08 Repeat steps no. 4 – 7 to enable automatic continuous backups for other DynamoDB tables available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-continuous-backups command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to configure as the identifier parameter, to enable the Point-in-time Recovery (PITR) feature by setting the PointInTimeRecoveryEnabled configuration attribute to true, in order to turn on continuous backups for the selected table:

aws dynamodb update-continuous-backups
  --region us-east-1
  --table-name cc-product-reviews
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

02 The output should return the update-continuous-backups command request information. You can now restore your DynamoDB table data to any point in time between "EarliestRestorableDateTime" and "LatestRestorableDateTime":

{
	"ContinuousBackupsDescription": {
		"ContinuousBackupsStatus": "ENABLED",
		"PointInTimeRecoveryDescription": {
			"PointInTimeRecoveryStatus": "ENABLED",
			"EarliestRestorableDateTime": "2023-07-11T13:32:21+00:00",
			"LatestRestorableDateTime": "2023-07-11T13:32:21+00:00"
		}
	}
}

03 Repeat steps no. 1 and 2 to enable automatic continuous backups for other DynamoDB tables provisioned in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
dynamodb
list-tables
describe-continuous-backups
update-continuous-backups

CloudFormation Documentation
Amazon DynamoDB resource type reference

Terraform Documentation
AWS Provider

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related DynamoDB rules