DynamoDB table point-in-time recovery disabled

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DynamoDB table point-in-time recovery disabled

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 0f04217d-488f-4e7a-bec8-f16159686cd6

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Best Practices

Learn More

Provider Reference

Description

DynamoDB tables must have point-in-time recovery (PITR) enabled to allow restoration to a prior consistent state after accidental deletes, overwrites, or data corruption. Without PITR, you cannot restore to recent points in time, increasing the risk of permanent data loss and extended recovery time. Check AWS::DynamoDB::Table resources and ensure the Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled property is defined and set to true. Resources missing PointInTimeRecoverySpecification, missing the PointInTimeRecoveryEnabled field, or with PointInTimeRecoveryEnabled set to false will be flagged.

Secure configuration example:

MyDynamoTable:
  Type: AWS::DynamoDB::Table
  Properties:
    TableName: MyTable
    AttributeDefinitions:
      - AttributeName: id
        AttributeType: S
    KeySchema:
      - AttributeName: id
        KeyType: HASH
    BillingMode: PAY_PER_REQUEST
    PointInTimeRecoverySpecification:
      PointInTimeRecoveryEnabled: true

Compliant Code Examples

Resources:
  MyDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification: 
        PointInTimeRecoveryEnabled: true

{
  "Resources": {
    "DynamoDBOnDemandTable1": {
      "Type": "AWS::DynamoDB::Table",
      "Properties": {
        "BillingMode": "PAY_PER_REQUEST",
        "PointInTimeRecoverySpecification" : {
          "PointInTimeRecoveryEnabled" : true
        }
      }
    },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
  }
}

Non-Compliant Code Examples

Resources:
  MyDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: my-table

{
  "Resources": {
    "DynamoDBOnDemandTable1": {
      "Type": "AWS::DynamoDB::Table",
      "Properties": {
        "BillingMode": "PAY_PER_REQUEST",
        "PointInTimeRecoverySpecification" : {
          "PointInTimeRecoveryEnabled" : false
        }
      }
    },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
  }
}

Resources:
  MyDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification: {}