📝 AWS DynamoDB Table Point In Time Recovery is not enabled 🟢

Contextual name: 📝 Table Point In Time Recovery is not enabled 🟢
ID: /ce/ca/aws/dynamodb/table-point-in-time-recovery
Located in: 📁 AWS DynamoDB

Flags

Our Metadata

Policy Type: COMPLIANCE_POLICY
Policy Category:
- SECURITY

Similar Policies

AWS Security Hub
- [[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled]([DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled (https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-2)]
Internal
- dec-x-a822159a

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a822159a	1

Logic

🧠 prod.logic.yaml 🟢
- 📗 AWS DynamoDB Table
- 🔌 AWS DynamoDB Table - object.extracts.yaml
- 🧪 test-data.json

Description

Open File

Description

Ensure that Point-in-Time Recovery (PITR) is enabled for all Amazon DynamoDB tables. PITR is a fully managed, continuous backup feature that automatically records all changes to table data, allowing recovery to any second within the preceding 35-day retention window. It protects against accidental writes, deletes, and corruption by enabling precise, time-based data restoration.

Rationale

Enabling PITR provides an automated and resilient data protection mechanism without requiring manual backup workflows or third-party solutions.This enhances data durability and minimizes the Recovery Time Objective (RTO) in the event of data loss or operational errors.

Impact

Enabling PITR incurs additional charges based on the total size of the DynamoDB table, including table data and any associated local secondary indexes.

Audit

This policy marks an AWS DynamoDB Table as INCOMPLIANT if Point In Time Recovery Status is set to DISABLED.

Remediation

Open File

Remediation

From Command Line

To enable Point-in-Time Recovery (PITR) for an existing DynamoDB table, use the following AWS CLI command:

aws dynamodb update-continuous-backups \
    --table-name {{table-name}} \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=True 

Using AWS CloudFormation

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Point-in-Time Recovery for an existing DynamoDB table

Parameters:
  TableName:
    Type: String
    Description: Name of the existing DynamoDB table

Resources:
  PointInTimeRecovery:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Ref TableName
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
        RecoveryPeriodInDays: 35

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled		1	1
💼 Cloudaware Framework → 💼 Data Protection and Recovery			16
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			4
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	8
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		5
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			2
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			7
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			5
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			2
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		8
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		5
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			2
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			2
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			21
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			114
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			9
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			5
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			5
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			3
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			5
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			4
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		4
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		5
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			4
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		2
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			4

Flags​

Our Metadata​

Similar Policies​

Similar Internal Rules​

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

From Command Line​

Using AWS CloudFormation​

policy.yaml​

Linked Framework Sections​

Flags

Our Metadata

Similar Policies

Similar Internal Rules

Logic

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

From Command Line

Using AWS CloudFormation

policy.yaml

Linked Framework Sections