🛡️ AWS DynamoDB Table does not have on-demand backups in the past 90 days🟢

Contextual name: 🛡️ Table does not have on-demand backups in the past 90 days🟢
ID: /ce/ca/aws/dynamodb/table-backup
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS DynamoDB Table
- 🔌 AWS DynamoDB Backup - object.extracts.yaml
- 🔌 AWS Backup Recovery Point - object.extracts.yaml
- 🔌 AWS DynamoDB Table - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: DynamoDB Backup and Restore

Description

Description

This policy identifies AWS DynamoDB Tables that are not protected by AWS Backup recovery points or on-demand backups when Point-in-Time Recovery (PITR) is not enabled.

On-demand backup coverage may be provided through one of the following mechanisms:

On-Demand Backups: Backups created manually using the DynamoDB console or API.

AWS Backup Recovery Points: Backups managed centrally through AWS Backup plans.

Rationale

Although PITR is recommended for most production workloads, certain environments rely on discrete backups to support long-term data retention, archival requirements, or cost optimization strategies.

If PITR is disabled and recent backups are not available, accidental deletion, data corruption, or misconfiguration may result in permanent data loss. On-demand backups and AWS Backup recovery points provide an alternative protection mechanism, enabling snapshot retention beyond the 35-day PITR window and supporting compliance and audit requirements.

Impact

Failure to maintain recent backups significantly increases the risk of irreversible data loss due to system failures or human error.

... see more

Remediation

Open File

Remediation

Configure Backup Protection for DynamoDB Tables

When Point-in-Time Recovery (PITR) is not enabled, DynamoDB tables must be protected using either AWS Backup plans or automated on-demand backup processes to ensure recoverability and compliance with data retention requirements.

From Command Line

Option A: Protect the Table Using an AWS Backup Plan (Sustainable and Centralized Control)

AWS Backup provides centralized scheduling, retention management, and monitoring for DynamoDB backups. If a suitable backup plan does not already exist, create one before assigning the table.
Create an AWS Backup Plan (If Not Already Present)

Note: If an existing backup plan already meets organizational backup frequency and retention requirements, this step can be skipped.

Define the backup plan configuration in a JSON file (for example, backup-plan.json). The following example creates a daily backup at 01:00 Pacific Time with a 365-day retention period:
{
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 Cloudaware Framework → 💼 Data Protection and Recovery			23	no data
💼 FedRAMP High Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	3		19	no data
💼 FedRAMP High Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			5	no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			19	no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	14	no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		20	no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7	no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			12	no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			20	no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	2		5	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			5	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		14	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		20	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7	no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			7	no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			27	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			185	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			183	no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			15	no data
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained			5	no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			20	no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			20	no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			9	no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6 Alternate Storage Site	3		19	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site			5	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			19	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		11	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		7	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			19	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

Configure Backup Protection for DynamoDB Tables​

From Command Line​

Option A: Protect the Table Using an AWS Backup Plan (Sustainable and Centralized Control)​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Impact

Remediation

Remediation

Configure Backup Protection for DynamoDB Tables

From Command Line

Option A: Protect the Table Using an AWS Backup Plan (Sustainable and Centralized Control)

policy.yaml

Linked Framework Sections