Rule: DynamoDB Table Should be Protected by Backup Plan
This rule ensures that DynamoDB table is protected by a backup plan.
| Rule | DynamoDB table should be protected by backup plan |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Ensure DynamoDB Table is Protected by Backup Plan for NIST CSF v1
Overview
Under the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), maintaining robust data backup practices is critical for enhancing an organization's resilience against data loss. DynamoDB, as a managed NoSQL database service provided by AWS, necessitates protection through periodic backups. This supports the framework's goal to maintain the integrity and availability of information.
Rule Description
This policy dictates that all Amazon DynamoDB tables must have a backup plan in place, which aligns with the NIST CSF requirement for maintaining data integrity and recoverability.
Troubleshooting Steps
If you have DynamoDB tables without backups, perform the following steps:
1. Verify Backup Status
First, check whether there are any backups present for each DynamoDB table. This can be done using AWS Management Console or via AWS CLI.
For AWS CLI:
aws dynamodb list-backups --table-name YOUR_TABLE_NAME
Replace
YOUR_TABLE_NAME2. Analyze Backup Configuration
If backups are present, verify that they are configured to run as per the organization's data retention policy and Recovery Point Objectives (RPOs).
Remediation Steps
To ensure compliance with the NIST CSF v1, you should automate the backup process.
Option 1: Enable AWS Backup
aws backup create-backup-plan --backup-plan '{
"BackupPlanName": "DynamoDBBackupPlan",
"Rules": [{
"RuleName": "DailyBackup",
"TargetBackupVaultName": "Default",
"ScheduleExpression": "cron(0 5 ? * * *)",
"StartWindowMinutes": 480,
"CompletionWindowMinutes": 10080,
"RecoveryPointTags": {
"string": "string"
},
"Lifecycle": {
"MoveToColdStorageAfterDays": 30,
"DeleteAfterDays": 365
},
"CopyActions": [{
"Lifecycle": {
"MoveToColdStorageAfterDays": 30,
"DeleteAfterDays": 365
},
"DestinationBackupVaultArn": "arn:aws:backup:us-east-1:123456789012:vault:exampleBackupVault"
}],
"EnableContinuousBackup": false
}]
}'
This code snippet will create a new backup plan where the
ScheduleExpressionOption 2: Enable Point-In-Time Recovery (PITR)
aws dynamodb update-continuous-backups --table-name YOUR_TABLE_NAME --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
Replace
YOUR_TABLE_NAMEEnable continuous backups for DynamoDB table using the AWS CLI. PITR provides continuous backups of the DynamoDB table data for the last 35 days.
Backup Verification
After setting up the backup plan, you should regularly verify if the backups are successfully completed as scheduled.
Additional Notes
Maintaining backups and aligning with NIST CSF is not just about data protection but also contributes to a strategic cybersecurity stance. Regularly review and test your backup and recovery process to ensure they meet current business requirements. Comprehensive backups are a key part of a multi-layered defense strategy and are critical to the recovery process in the event of data corruption or loss.