Open menu
-->

DynamoDB Backup and Restore

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: High (not acceptable risk)

Ensure that your Amazon DynamoDB tables are using on-demand backup and restore functionality for data protection and archival purposes, helping you meet regulatory requirements in your organization. Along with data, Global Secondary Indexes (GSIs), Local Secondary Indexes (LSIs), streams and provisioned read/write capacity are also included within the table backups. The backup/restore process does not consume any provisioned capacity and has no impact on the performance and availability of your DynamoDB applications.

With AWS DynamoDB on-demand backup and restore functionality you can protect your data from loss due to application errors and retain it for regulatory compliance purposes.

Audit

To identify any DynamoDB tables with underutilized read capacity, available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to examine.

05 Select the Backups tab to access the table backups management panel.

06 On the Backups panel, check for any on-demand backups created for the selected table. If there are no table backups listed and the panel displays the following message: "You have no backups. Click "Create backup" above to create one.", the Amazon DynamoDB backup and restore functionality is not used for the selected table, therefore it is highly recommended to create table backups (see Remediation/Resolution section) for data protection, archival and regulatory compliance.

07 Repeat steps no. 4 – 6 to verify if other DynamoDB tables, available in the current region, are using the backup and restore functionality.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) using custom query filters to list the names of all DynamoDB tables created in the selected AWS region:

aws dynamodb list-tables
	--region us-east-1
	--output table
	--query 'TableNames' 

02 The command output should return the requested table names:

-----------------------
|     ListTables      |
+---------------------+
|  cc-rule-inventory  |
|  cc-rule-reviews    |
+---------------------+

03 Run list-backups command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as identifier and custom query filters to list the ARN(s) of the backup(s) associated with the selected AWS DynamoDB table:

aws dynamodb list-backups
	--region us-east-1
	--table-name cc-rule-inventory
	--query 'BackupSummaries[*].BackupArn'

04 The command output should return an array that contains the ARN(s) of the backup(s) created for the selected table:

[]

If the list-backups command output returns an empty array, as shown in the example above, there are no table backups created, therefore the AWS DynamoDB backup and restore functionality is not used for the selected table.

05 Repeat step no. 3 and 4 to verify if other DynamoDB tables, available in the current region, are using the service backup and restore functionality.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To make use of Amazon DynamoDB on-demand backup and restore functionality, you need to create full table backups and restore them when needed. This section demonstrates how to create and restore an existing table in order to make use of DynamoDB on-demand backup and restore functionality:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to back up and restore (see Audit section part I to identify the right resource).

05 Select the Backups tab to access the table backups management panel.

06 To back up the selected table, click Create backup button to initiate the backup process.

07 Inside Create table backup, within Backup name box, provide a name for your new table backup then click Create to confirm your action. Once the backup is created, the following confirmation message will be displayed: "Backup request successful.". Click Close to return to the DynamoDB dashboard.

08 To restore the newly created table backup, select the necessary backup and click Restore backup to start the process.

09 On the Restore table from backup page, within New table name box, provide a unique name for your new DynamoDB table. Review the original (source) table configuration details then click Restore table to initiate the table restore process. Once the restore process is finished, the status of the selected table should change to Active.

10 Repeat steps no. 4 - 9 to make use of on-demand backup and restore functionality for other Amazon DynamoDB tables available within the current region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 To back up the necessary table, run create-backup command (OSX/Linux/UNIX) to create a full, on-demand backup from the selected Amazon DynamoDB table (see Audit section part II to identify the right resource):

aws dynamodb create-backup
	--region us-east-1
	--table-name cc-rule-inventory
	--backup-name cc-rule-inventory-backup   

02 The command output should return the new backup metadata:

{
    "BackupDetails": {
        "BackupCreationDateTime": 1512995019.415,
        "BackupArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-rule-inventory/backup/01234567890123-aabbccdd",
        "BackupStatus": "CREATING",
        "BackupName": "cc-rule-inventory-backup"
    }
}

03 To restore the backup created at the previous step, run restore-table-from-backup command (OSX/Linux/UNIX) using the ARN of the backup as identifier to create a new table from the existing AWS DynamoDB table backup. The following command example creates a new DynamoDB table named "cc-new-rule-inventory" from a full backup identified by the ARN "arn:aws:dynamodb:us-east-1:123456789012:table/cc-rule-inventory/backup/01234567890123-aabbccdd":

aws dynamodb restore-table-from-backup
	--region us-east-1
	--target-table-name cc-new-rule-inventory
	--backup-arn arn:aws:dynamodb:us-east-1:123456789012:table/cc-rule-inventory/backup/01234567890123-aabbccdd

04 The command output should return the new DynamoDB table metadata:

{
    "TableDescription": {
        "TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-new-rule-inventory",
        "RestoreSummary": {
            "SourceTableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-rule-inventory",
            "SourceBackupArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-rule-inventory/backup/01234567890123-aabbccdd",
            "RestoreDateTime": 1512995019.415,
            "RestoreInProgress": true
        },
        
        ...
 
        "ProvisionedThroughput": {
            "NumberOfDecreasesToday": 0,
            "WriteCapacityUnits": 5,
            "ReadCapacityUnits": 5
        },
        "ItemCount": 0,
        "CreationDateTime": 1512996080.049
    }
} 

05 Repeat steps no. 1 - 4 to make use of DynamoDB on-demand backup and restore functionality for other AWS DynamoDB tables available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References