--- title: DynamoDB table Point-in-Time Recovery disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DynamoDB table Point-in-Time Recovery disabled --- # DynamoDB table Point-in-Time Recovery disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-dynamodb-table-point-in-time-recovery-disabled` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery) ### Description{% #description %} It is a best practice to enable Point-in-Time Recovery (PITR) for DynamoDB tables to protect against accidental or malicious data loss. In Terraform, this is configured using the `point_in_time_recovery { enabled = true }` block. Leaving it as `enabled = false` means that deleted or corrupted data cannot be recovered to a previous state. Without PITR enabled, any accidental overwrite or deletion of table data can result in permanent loss, potentially impacting application availability or causing irreparable data integrity issues. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_dynamodb_table" "basic-dynamodb-table" { name = "GameScores" billing_mode = "PROVISIONED" read_capacity = 20 write_capacity = 20 hash_key = "UserId" range_key = "GameTitle" point_in_time_recovery { enabled = true } attribute { name = "UserId" type = "S" } attribute { name = "GameTitle" type = "S" } attribute { name = "TopScore" type = "N" } ttl { attribute_name = "TimeToExist" enabled = false } global_secondary_index { name = "GameTitleIndex" hash_key = "GameTitle" range_key = "TopScore" write_capacity = 10 read_capacity = 10 projection_type = "INCLUDE" non_key_attributes = ["UserId"] } tags = { Name = "dynamodb-table-1" Environment = "production" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_dynamodb_table" "basic-dynamodb-table" { name = "GameScores" billing_mode = "PROVISIONED" read_capacity = 20 write_capacity = 20 hash_key = "UserId" range_key = "GameTitle" point_in_time_recovery { enabled = false } attribute { name = "UserId" type = "S" } attribute { name = "GameTitle" type = "S" } attribute { name = "TopScore" type = "N" } ttl { attribute_name = "TimeToExist" enabled = false } global_secondary_index { name = "GameTitleIndex" hash_key = "GameTitle" range_key = "TopScore" write_capacity = 10 read_capacity = 10 projection_type = "INCLUDE" non_key_attributes = ["UserId"] } tags = { Name = "dynamodb-table-1" Environment = "production" } } ``` ```terraform resource "aws_dynamodb_table" "basic-dynamodb-table" { name = "GameScores" billing_mode = "PROVISIONED" read_capacity = 20 write_capacity = 20 hash_key = "UserId" range_key = "GameTitle" attribute { name = "UserId" type = "S" } attribute { name = "GameTitle" type = "S" } attribute { name = "TopScore" type = "N" } ttl { attribute_name = "TimeToExist" enabled = false } global_secondary_index { name = "GameTitleIndex" hash_key = "GameTitle" range_key = "TopScore" write_capacity = 10 read_capacity = 10 projection_type = "INCLUDE" non_key_attributes = ["UserId"] } tags = { Name = "dynamodb-table-1" Environment = "production" } } ```