Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Sufficient Backup Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon DynamoDB table backups have set a minimum backup retention period in order to achieve compliance requirements in your organization. The retention period represents the number of days to retain on-demand backups before these are being deleted. The retention period can be configured only for DynamoDB table backups managed by AWS Backup service. Before running this rule by the Trend Cloud One™ – Conformity engine, the retention period for your Amazon DynamoDB table backups needs to be defined in the conformity rule settings, in your Conformity account.

Reliability

Having a minimum retention period set for your Amazon DynamoDB table backups will enforce your backup strategy to follow best practices as specified in the compliance regulations. Retaining Amazon DynamoDB backup data for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure.


Audit

To determine if your Amazon DynamoDB tables have a sufficient backup retention period configured for on-demand backups, perform the following operations:

Getting the retention period for the DynamoDB table backups managed by AWS Backup via AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name of the Amazon DynamoDB table that you want to examine.

05 Select the Backups tab to access the backup settings available for the selected table.

06 Click on the name (link) of the DynamoDB table backup that you want to examine. A backup managed by AWS Backup has the Type attribute set to AWS_BACKUP.

07 In the Backup job summary section, check the Expiration attribute value to determine the backup retention period configured for the selected backup.

08 Sign in to your Trend Cloud One™ – Conformity account, access the Sufficient Backup Retention Period rule settings and compare the retention period found at the previous step against the one set within the rule configuration. If the retention period configured for your backup is less than the one defined in your Conformity account, the selected DynamoDB table backup does not have a sufficient data retention period configured for compliance purposes.

09 Repeat steps no. 6 – 8 for each data backup created for the selected DynamoDB table.

10 Repeat steps no. 4 – 9 for each Amazon DynamoDB table available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Remediation / Resolution

To update your Amazon DynamoDB table backup configuration in order to extend the backup retention period for compliance purposes, perform the following operations:

Setting the retention period for the DynamoDB table backups managed by AWS Backup via AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name of the Amazon DynamoDB table that you want to access.

05 Select the Backups tab to access the backup settings available for the selected table.

06 For existing backups, select the DynamoDB table backup that you want to update, choose Copy, and select Copy in AWS Backup. A backup managed by AWS Backup has the Type attribute set to AWS_BACKUP.

07 Choose the appropriate AWS cloud region from the Region dropdown list and select a sufficient and optimal backup retention period using the Total retention period controls, in accordance with the retention period specified in the conformity rule settings, in your Trend Cloud One™ – Conformity account. Choose Copy to make a copy and extend the backup retention period for the selected backup.

08 For new backups, choose Create backup, and select Create on-demand backup to initiate the backup process.

09 On the Create on-demand backup page, perform the following actions:

  1. If the backup advanced features are not displayed, select Go to backup settings and choose Turn on from the Backup settings section. Choose Turn on feature to enable advanced features such as cross-account copy, cross-region copy, cost allocation tags, and cold storage tiering. If the backup advanced features are enabled, skip this step.
  2. Select the DynamoDB table that you want to back up from the Source table box.
  3. Choose Customize settings for custom backup settings.
  4. Select Backup with AWS Backup for Backup management.
  5. Use the Retention period controls to select a sufficient backup retention period in accordance with the retention period specified in the conformity rule settings, in your Trend Cloud One™ – Conformity account.
  6. Configure other advanced settings such as backup window, transition to cold storage, the backup vault used for storage, and the IAM role required for backup operations, to fit your requirements.
  7. (Optional) In the Tags - optional section, choose Add new tag to create tag sets for your new resource.
  8. Choose Create backup to create your new DynamoDB table backup.

10 Repeat steps no. 6 – 9 for each data backup created for the selected DynamoDB table.

11 Repeat steps no. 4 – 10 for each Amazon DynamoDB table that you want to back up, available in the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

References

Publication date Jan 11, 2024