🛡️ AWS DynamoDB Table Point In Time Recovery is not enabled🟢

• Contextual name: 🛡️ Table Point In Time Recovery is not enabled🟢
• ID: /ce/ca/aws/dynamodb/table-point-in-time-recovery
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS DynamoDB Table
  • 🔌 AWS DynamoDB Backup - object.extracts.yaml
  • 🔌 AWS Backup Recovery Point - object.extracts.yaml
  • 🔌 AWS DynamoDB Table - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
• Internal: dec-x-a822159a

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a822159a	1

Description

Open File

Description

This policy identifies AWS DynamoDB Tables that are not protected by Point-in-Time Recovery (PITR), an AWS Backup plan, or on-demand backups.

Point-in-Time Recovery is a fully managed, continuous backup feature that captures all changes to table data, enabling recovery to any second within the preceding 35-day retention window. PITR protects against accidental writes, deletions, and data corruption by allowing precise, time-based restoration.

Rationale

Enabling PITR provides an automated and resilient data protection mechanism without requiring manual backup workflows or third-party solutions. This capability improves data durability and reduces the Recovery Time Objective (RTO) in the event of data loss, operational errors, or unintended changes.

Impact

Enabling PITR incurs additional charges based on the total size of the DynamoDB table, including table data and any associated local secondary indexes.

Audit

This policy flags an AWS DynamoDB Table as INCOMPLIANT if the Point-in-Time Recovery Status is set to DISABLED.

... see more

Remediation

Open File

Remediation

Enable Point-in-Time Recovery

From Command Line

To enable Point-in-Time Recovery (PITR) for an existing DynamoDB table, use the following AWS CLI command:

aws dynamodb update-continuous-backups \
    --table-name {{table-name}} \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=True

Using AWS CloudFormation

• CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Point-in-Time Recovery for an existing DynamoDB table

Parameters:
  TableName:
    Type: String
    Description: Name of the existing DynamoDB table

Resources:
  PointInTimeRecovery:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Ref TableName
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
        RecoveryPeriodInDays: 35

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled		1	1		no data
💼 AWS Well-Architected → 💼 REL09-BP01 Identify and back up all data that needs to be backed up, or reproduce the data from sources			2		no data
💼 AWS Well-Architected → 💼 REL09-BP03 Perform data backup automatically			3		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			21		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			19		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	14		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		20		no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			12		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			20		no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		14		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		20		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			7		no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			7		no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			27		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			15		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			20		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			20		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			9		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			19		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		11		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		7		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			19		no data