Rule: DynamoDB table should be protected by backup plan
Ensure the DynamoDB table is safeguarded by a backup plan to maintain data availability.
| Rule | DynamoDB table should be protected by backup plan |
| Framework | SOC 2 |
| Severity | ✔ High |
DynamoDB Table Backup Plan for SOC 2 Compliance
When managing AWS DynamoDB tables, ensuring SOC 2 compliance involves implementing and maintaining a comprehensive backup plan. A backup plan is crucial to protect against data loss or corruption, and is essential for business continuity and disaster recovery processes.
Understanding the Rule
SOC 2 compliance is about managing data based on the five Trust Service Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. For DynamoDB tables, the primary concerns are often security and availability, which means that backup strategies are a significant factor in maintaining compliance.
Backup Requirements for SOC 2
- Regular backups must be performed, ideally automated, to reduce the risk of data loss.
- Backup data should be encrypted at rest.
- The ability to restore from a backup quickly in case of an incident.
- Maintain and test backup and restore procedures periodically.
- Retain backup history logs for audit purposes.
Implementing a Backup Plan
Enabling Continuous Backups with Point-in-Time Recovery (PITR)
AWS DynamoDB supports Continuous Backups with Point-in-Time Recovery (PITR), which allows you to restore your table to any point in time within the last 35 days.
Step-by-Step Guide:
- 1.Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/.
- 2.In the navigation pane, choose
.Tables - 3.Choose the table you want to enable continuous backups for.
- 4.In the
section, chooseBackups
under Point-in-Time recovery.Enable
Using AWS CLI:
aws dynamodb update-continuous-backups --table-name YourTableName --point-in-time-recovery-specification PointInTimeRecoveryEnabled=True
On-Demand Backup
On-demand backups are full backups that are created at a specific point in time and are retained until you explicitly delete them.
Step-by-Step Guide:
- 1.In the navigation pane, choose
.Tables - 2.Select the table you want to back up.
- 3.Choose
in theCreate backup
section.Backups - 4.Enter a name for the backup and choose
.Create
Using AWS CLI:
aws dynamodb create-backup --table-name YourTableName --backup-name YourBackupName
Automating Backups with AWS Backup
AWS Backup is a centralized backup service that enables you to automate backups across AWS services. For SOC 2 compliance, it is beneficial to utilize AWS Backup to manage and retain DynamoDB backups.
Step-by-Step Guide:
- 1.Open the AWS Backup console at https://console.aws.amazon.com/backup/.
- 2.Click
.Create a backup plan from a template - 3.Choose a backup plan template that meets your SOC 2 requirements or create a custom plan.
- 4.Set up a backup rule with a defined schedule, retention period, and lifecycle rules.
- 5.Assign resources by specifying your DynamoDB table ARN.
Using AWS CLI, you can create a backup plan by defining a backup plan JSON file and running:
aws backup create-backup-plan --backup-plan file://backup-plan.json
Troubleshooting Steps
If you encounter issues with DynamoDB backups, consider the following troubleshooting tips:
- Check IAM permissions to ensure your role has the
,dynamodb:CreateBackup
, anddynamodb:EnableContinuousBackups
permissions.backup:CreateBackupPlan - Verify that the table exists and is active when setting up the backup.
- Confirm that backups aren't being blocked by Conditional Operator and Tag-based access control.
- Review AWS CloudTrail logs for any failed backup API calls and their error messages.
Remediation and Verification
After setting up the backup plan, verify its functionality:
- 1.View the backup by going to the DynamoDB or AWS Backup console.
- 2.Practice restoring a table to validate the recovery process.
- 3.Review the backup policies and ensure they align with SOC 2 requirements.
- 4.Document the backup and restore procedure, as well as test results, for audit purposes.
Adhering to this plan is critical for SOC 2 compliance and should be monitored and reviewed on a scheduled basis to ensure continuous protection of DynamoDB data.