Open menu

Enable DynamoDB Continuous Backups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: High (not acceptable risk)

Ensure that your AWS DynamoDB tables make use of Point-in-time Recovery (PITR) feature in order to automatically take continuous backups of your DynamoDB data. Amazon DynamoDB service can back up your data with per-second granularity and restore it to any single second from the time PITR was enabled up to the prior 35 days. DynamoDB continuous backups represent an additional layer of insurance against accidental loss of data on top of on-demand backups. The data restored using the Point-in-time Recovery feature includes Global Secondary Indexes (GSIs) and Local Secondary Indexes (LSIs).

Once enabled, DynamoDB continuous backups, powered by Point-in-time Recovery (PITR) feature, will help you protect your DynamoDB data against accidental writes or deletes.

Audit

To determine if continuous backups are enabled for your Amazon DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to examine.

05 Select the Backups tab to access the resource details panel.

06 On the Backups panel, within xPoint-in-time Recovery section, check the Status configuration attribute value. If the attribute value is set to DISABLED, the Point-in-time Recovery feature is not currently enabled, therefore the selected Amazon DynamoDB table does not take continuous backups.

07 Repeat steps no. 4 – 6 for other AWS DynamoDB tables, available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) using custom query filters to list the names of all DynamoDB tables created in the selected AWS region:

aws dynamodb list-tables
	--region us-east-1
	--output table
	--query 'TableNames' 

02 The command output should return the Amazon DynamoDB table names:

--------------------------
|       ListTables       |
+------------------------+
| cc-project5-inventory  |
| cc-project5-reviews    |
+------------------------+ 

03 Run describe-continuous-backups command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as identifier and custom query filters to expose the Point-in-time Recovery (PITR) feature status for the selected AWS DynamoDB table:

aws dynamodb describe-continuous-backups
	--region us-east-1
	--table-name cc-project5-inventory
	--query "ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus"

04 The command output should return the current status for the PITR feature:

"DISABLED"

If describe-continuous-backups command output returns "DISABLED", as shown in the example above, the Point-in-time Recovery (PITR) feature is not enabled, therefore the selected Amazon DynamoDB table does not take automatic continuous backups.

05 Repeat step no. 3 and 4 to verify if other Amazon DynamoDB tables, available in the selected region, are using PITR.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To make use of Point-in-time Recovery (PITR) feature and enable continuous backups for your Amazon DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Backups tab to access the resource details panel.

06 On the Backups panel, within Point-in-time Recovery section, click Enable next to the Status configuration attribute value.

07 Within Enable Point-in-time Recovery dialog box, click Enable to activate continuous backups for the selected Amazon DynamoDB table. Once continuous backups are enabled, you should be able to see the Earliest restore date and Latest restore date attributes with the appropriate values. You can now restore your DynamoDB table data to any point in time within the earliest restore date, specified by the Earliest restore date attribute and the latest restorable date time, specified by the Latest restore date.

08 Repeat steps no. 4 – 7 to enable automatic continuous backups for other AWS DynamoDB tables available within the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-continuous-backups command (OSX/Linux/UNIX) to reconfigure your Amazon DynamoDB table (see Audit section part II to identify the right resource) and enable the Point-in-time Recovery (PITR) feature by setting the PointInTimeRecoveryEnabled attribute to true, as shown in the command example below:

aws dynamodb update-continuous-backups
	--region us-east-1
	--table-name cc-project5-inventory
	--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

02 The command output should return the command request metadata. You can now restore your DynamoDB table data to any point in time within EarliestRestorableDateTime and LatestRestorableDateTime:

{
    "ContinuousBackupsDescription": {
        "PointInTimeRecoveryDescription": {
            "PointInTimeRecoveryStatus": "ENABLED",
            "EarliestRestorableDateTime": 1542359105.0,
            "LatestRestorableDateTime": 1542359105.0
        },
        "ContinuousBackupsStatus": "ENABLED"
    }
}

03 Repeat step no. 1 and 2 to enable automatic continuous backups for other AWS DynamoDB tables available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References