Skip to main content

Remediation

Configure Backup Protection for DynamoDB Tables​

When Point-in-Time Recovery (PITR) is not enabled, DynamoDB tables must be protected using either AWS Backup plans or automated on-demand backup processes to ensure recoverability and compliance with data retention requirements.

From Command Line​

Option A: Protect the Table Using an AWS Backup Plan (Sustainable and Centralized Control)​

AWS Backup provides centralized scheduling, retention management, and monitoring for DynamoDB backups. If a suitable backup plan does not already exist, create one before assigning the table.

  1. Create an AWS Backup Plan (If Not Already Present)

    Note: If an existing backup plan already meets organizational backup frequency and retention requirements, this step can be skipped.

    Define the backup plan configuration in a JSON file (for example, backup-plan.json). The following example creates a daily backup at 01:00 Pacific Time with a 365-day retention period:

    {
    "BackupPlan": {
        "BackupPlanName": "dynamodb-backup-plan",
        "Rules": [
        {
            "RuleName": "daily-backup-rule",
            "TargetBackupVaultName": "Default",
            "ScheduleExpression": "cron(0 1 ? * * *)",
            "ScheduleExpressionTimezone": "America/Los_Angeles",
            "StartWindowMinutes": 60,
            "CompletionWindowMinutes": 180,
            "Lifecycle": {
            "DeleteAfterDays": 365
            }
        }
        ]
    }
    }

    Create the backup plan:

    aws backup create-backup-plan \
        --cli-input-json file://backup-plan.json

  2. Assign the DynamoDB Table to the Backup Plan

    aws backup create-backup-selection \
        --backup-plan-id {{backup-plan-id}} \
        --backup-selection '{
            "SelectionName": "DynamoDBTableSelection",
            "IamRoleArn": "{{backup-role-arn}}",
            "Resources": [
                "arn:aws:dynamodb:{{region}}:{{account-id}}:table/{{table-name}}"
            ]
        }'

    This ensures the table is backed up automatically according to the defined schedule and retention policy.

Option B: Enable Automated On-Demand Backups (Immediate and Lightweight Control)​

As an alternative to AWS Backup, on-demand backups can be created programmatically using the AWS CLI or SDKs. To meet ongoing compliance requirements, this approach should be automated using scheduled jobs (for example, via EventBridge, Lambda, or CI/CD pipelines) to ensure backups are created on a regular basis (e.g., at least every 30 days).

Create an on-demand backup for a DynamoDB table:

aws dynamodb create-backup \
    --table-name {{table-name}} \
    --backup-name {{backup-name}}

Consideration: To avoid manual intervention, organizations should implement automation that periodically creates and verifies on-demand backups. This approach is suitable for environments that prefer lightweight, table-level control without adopting AWS Backup.