🛡️ AWS DynamoDB Table Point In Time Recovery is not enabled🟢

• Contextual name: 🛡️ Table Point In Time Recovery is not enabled🟢
• ID: /ce/ca/aws/dynamodb/table-point-in-time-recovery
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS DynamoDB Table
  • 🔌 AWS DynamoDB Table - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
• Internal: dec-x-a822159a

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a822159a	1

Description

Open File

Description

Ensure that Point-in-Time Recovery (PITR) is enabled for all Amazon DynamoDB tables. PITR is a fully managed, continuous backup feature that automatically records all changes to table data, allowing recovery to any second within the preceding 35-day retention window. It protects against accidental writes, deletes, and corruption by enabling precise, time-based data restoration.

Rationale

Enabling PITR provides an automated and resilient data protection mechanism without requiring manual backup workflows or third-party solutions.This enhances data durability and minimizes the Recovery Time Objective (RTO) in the event of data loss or operational errors.

Impact

Enabling PITR incurs additional charges based on the total size of the DynamoDB table, including table data and any associated local secondary indexes.

Audit

This policy marks an AWS DynamoDB Table as INCOMPLIANT if Point In Time Recovery Status is set to DISABLED.

If the DynamoDB Table is not ACTIVE, it is marked as INAPPLICABLE.

Remediation

Open File

Remediation

From Command Line

To enable Point-in-Time Recovery (PITR) for an existing DynamoDB table, use the following AWS CLI command:

aws dynamodb update-continuous-backups \
    --table-name {{table-name}} \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=True 

Using AWS CloudFormation

• CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Point-in-Time Recovery for an existing DynamoDB table

Parameters:
  TableName:
    Type: String
    Description: Name of the existing DynamoDB table

Resources:
  PointInTimeRecovery:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Ref TableName
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
        RecoveryPeriodInDays: 35

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled		1	1		no data
💼 AWS Well-Architected → 💼 REL09-BP01 Identify and back up all data that needs to be backed up, or reproduce the data from sources			2		no data
💼 AWS Well-Architected → 💼 REL09-BP03 Perform data backup automatically			3		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			18		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			12		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	10		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		12		no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			5		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			9		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			12		no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			5		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		10		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		12		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			5		no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			5		no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			6		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		7		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			11		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		5		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			11		no data