AWS DynamoDB Continuous Backup - Point-In-Time-Recovery (PITR)
Risk level: Medium (should be achieved)
Rule ID: RDS-01
Point-In-Time-Recovery (PITR) is an automatic continuous backup that lets you restore your DynamoDB table and secondary indexes, global and local, to any point in time during the past 35 days. This setting does not interfere with on-demand backups but instead acts as an additional defence layer.
This rule can help you with the following compliance standards:
-
- NIST 800-53 (Rev. 4)
- This rule can help you work with the AWS Well-Architected Framework
Audit
To determine if continuous backups are enabled for your Amazon DynamoDB tables, perform the following actions
Using AWS Console
1. Sign in to AWS Management Console.
2. Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.
3. In the left navigation panel, under Dashboard, click Tables.
4. Select the DynamoDB table that you want to examine.
5. Select the Backups tab to access the resource details panel.
6. On the Backups panel, within the Point-in-time Recovery section, check the Status configuration attribute value. If the attribute value is set to DISABLED, the Point-in-time Recovery feature is not currently enabled, therefore the selected Amazon DynamoDB table does not take continuous backups.
7. Repeat steps no. 4 – 6 for other AWS DynamoDB tables, available in the current region.
8. Change the AWS region from the navigation bar and repeat the audit process for other regions.
Using AWS CLI
1. Run list-tables command (OSX/Linux/UNIX) using custom query filters to list the names of all DynamoDB tables created in the selected AWS region:
aws dynamodb list-tables \\
--region us-east-1 \\
--output table \\
--query 'TableNames'
2. The command output should return the Amazon DynamoDB table names
3. Run describe-continuous-backups command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as identifier and custom query filters to expose the Point-in-time Recovery (PITR) feature status for the selected AWS DynamoDB table:
aws dynamodb describe-continuous-backups \\
--region us-east-1 \\
--table-name Todos \\
--query "ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus" \\
--output JSON
4. The command output should return the current status for the PITR feature:
If the describe-continuous-backups command output returns DISABLED, as shown in the example above, the Point-in-time Recovery (PITR) feature is not enabled, therefore the selected Amazon DynamoDB table does not take automatic continuous backups.
5. Repeat steps no. 1 to 3 to verify if other Amazon DynamoDB tables, available in the selected region, are using PITR.
6. Change the AWS region by updating the –-region command parameter value and repeat steps no. 1 – 3 to perform the entire audit process for other regions.
Remediation / Resolution
To make use of the Point-in-time Recovery (PITR) feature and enable continuous backups for your Amazon DynamoDB tables, perform the following actions:
Using AWS Console
1. Sign in to AWS Management Console.
2. Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.
3. In the left navigation panel, under Dashboard, click Tables.
4. Select the DynamoDB table that you want to reconfigure (see Audit section part I to identify the right resource).
5. Select the Backups tab to access the resource details panel.
6. On the Backups panel, within Point-in-time Recovery section, click Enable next to the Status configuration attribute value.
7. Within Enable Point-in-time Recovery dialog box, click Enable to activate continuous backups for the selected Amazon DynamoDB table.
8. Once continuous backups are enabled, you should be able to see the Earliest restore date and Latest restore date attributes with the appropriate values. You can now restore your DynamoDB table data to any point in time within the earliest restore date, specified by the Earliest restore date attribute, and the latest restorable date-time, specified by the Latest restore date.
9. Repeat steps no. 4 – 7 to enable automatic continuous backups for other AWS DynamoDB tables available within the current region.
10. Change the AWS region from the navigation bar and repeat the process for other regions.
Using AWS CLI
1. Run update-continuous-backups command (OSX/Linux/UNIX) to reconfigure your Amazon DynamoDB table (see Audit Section Part II to identify the right resource) and enable the Point-in-time Recovery (PITR) feature by setting the PointInTimeRecoveryEnabled attribute to true, as shown in the command example below:
aws dynamodb update-continuous-backups \\
--region us-east-1 \\
--table-name Todos \\
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
2. The command output should return the command request metadata:
You can now restore your DynamoDB table data to any point in time within EarliestRestorableDateTime and LatestRestorableDateTime.
3. Repeat Steps No. 1 and 2 to enable automatic continuous backups for other AWS DynamoDB tables available in the selected region.
4. Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.
Still Need Help?
Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.
