Skip to main content

DynamoDB Table Point-in-Time Recovery (PITR) Enabled

Overview

This check verifies that your DynamoDB tables have Point-in-Time Recovery (PITR) enabled. PITR provides continuous backups of your table data, allowing you to restore your table to any point in time within the last 35 days.

Risk

If Point-in-Time Recovery is not enabled:

  • Data loss from mistakes: Accidental deletions or overwrites cannot be undone
  • No protection from faulty code: Bad deployments or batch job errors can permanently corrupt your data
  • Security incident recovery: Compromised credentials could lead to malicious data changes with no way to roll back
  • Extended outages: Without PITR, recovering from data issues requires manual intervention and may not be possible at all

Severity: Medium

Remediation Steps

Prerequisites

You need permission to modify DynamoDB table backup settings. This typically requires the dynamodb:UpdateContinuousBackups permission or an administrator role.

Required IAM permissions (for restricted accounts)

If you do not have full administrator access, ensure your IAM role or user has these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:UpdateContinuousBackups",
        "dynamodb:DescribeContinuousBackups",
        "dynamodb:DescribeTable"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:*:table/*"
    }
  ]
}

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to DynamoDB (search for "DynamoDB" in the top search bar)
  3. In the left sidebar, click Tables
  4. Click on the table name you want to protect
  5. Select the Backups tab
  6. In the Point-in-time recovery (PITR) section, click Edit
  7. Toggle Point-in-time recovery to On
  8. Click Save changes

PITR is now enabled. Your table can be restored to any point within the last 35 days.

AWS CLI (optional)

Enable PITR on a table

aws dynamodb update-continuous-backups \
    --table-name <your-table-name> \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true \
    --region us-east-1

Example with a specific table

aws dynamodb update-continuous-backups \
    --table-name orders-table \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true \
    --region us-east-1

Expected output

{
    "ContinuousBackupsDescription": {
        "ContinuousBackupsStatus": "ENABLED",
        "PointInTimeRecoveryDescription": {
            "PointInTimeRecoveryStatus": "ENABLED",
            "EarliestRestorableDateTime": 1576622404.0,
            "LatestRestorableDateTime": 1576622404.0
        }
    }
}

Enable PITR on all tables in a region

for table in $(aws dynamodb list-tables --region us-east-1 --query 'TableNames[]' --output text); do
    echo "Enabling PITR for table: $table"
    aws dynamodb update-continuous-backups \
        --table-name "$table" \
        --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true \
        --region us-east-1
done
CloudFormation (optional)

DynamoDB table with PITR enabled

AWSTemplateFormatVersion: '2010-09-09'
Description: DynamoDB table with Point-in-Time Recovery enabled

Parameters:
  TableName:
    Type: String
    Description: Name of the DynamoDB table
    Default: my-table

Resources:
  DynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Ref TableName
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      Tags:
        - Key: Environment
          Value: Production
        - Key: ManagedBy
          Value: CloudFormation

Outputs:
  TableArn:
    Description: ARN of the DynamoDB table
    Value: !GetAtt DynamoDBTable.Arn
  TableName:
    Description: Name of the DynamoDB table
    Value: !Ref DynamoDBTable

Deploy the stack

aws cloudformation deploy \
    --template-file dynamodb-pitr.yaml \
    --stack-name dynamodb-pitr-stack \
    --parameter-overrides TableName=my-table \
    --region us-east-1

Update an existing table

If you have an existing CloudFormation-managed table without PITR, add the PointInTimeRecoverySpecification block to your template:

PointInTimeRecoverySpecification:
  PointInTimeRecoveryEnabled: true

Then update your stack:

aws cloudformation update-stack \
    --stack-name your-existing-stack \
    --template-body file://your-template.yaml \
    --region us-east-1
Terraform (optional)

DynamoDB table with PITR enabled

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_dynamodb_table" "main" {
  name         = "my-table"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "id"

  attribute {
    name = "id"
    type = "S"
  }

  point_in_time_recovery {
    enabled = true
  }

  tags = {
    Environment = "Production"
    ManagedBy   = "Terraform"
  }
}

output "table_arn" {
  description = "ARN of the DynamoDB table"
  value       = aws_dynamodb_table.main.arn
}

Enable PITR on an existing table

If you have an existing Terraform-managed table, add the point_in_time_recovery block:

resource "aws_dynamodb_table" "existing" {
  # ... existing configuration ...

  point_in_time_recovery {
    enabled = true
  }
}

Deploy with Terraform

terraform init
terraform plan
terraform apply

Verification

After enabling PITR, confirm it is active:

  1. In the AWS Console, go to DynamoDB > Tables
  2. Click on your table name
  3. Select the Backups tab
  4. Under Point-in-time recovery (PITR), verify it shows Enabled
  5. Note the Earliest restorable time and Latest restorable time values
CLI verification commands

Check PITR status for a specific table

aws dynamodb describe-continuous-backups \
    --table-name <your-table-name> \
    --region us-east-1

Expected output when PITR is enabled

{
    "ContinuousBackupsDescription": {
        "ContinuousBackupsStatus": "ENABLED",
        "PointInTimeRecoveryDescription": {
            "PointInTimeRecoveryStatus": "ENABLED",
            "EarliestRestorableDateTime": "2024-01-15T10:30:00+00:00",
            "LatestRestorableDateTime": "2024-01-20T14:25:00+00:00"
        }
    }
}

Check PITR status for all tables

for table in $(aws dynamodb list-tables --region us-east-1 --query 'TableNames[]' --output text); do
    status=$(aws dynamodb describe-continuous-backups \
        --table-name "$table" \
        --region us-east-1 \
        --query 'ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus' \
        --output text)
    echo "$table: $status"
done

Additional Resources

Notes

  • Recovery window: PITR allows restores to any second within the last 35 days (configurable between 1-35 days)
  • Latest restorable time: Typically 5 minutes before the current time due to the backup process
  • Restores create new tables: When you restore from PITR, a new table is created with a name you specify. The original table remains unchanged.
  • Cost: PITR incurs additional storage costs based on the size of your table and change rate. See DynamoDB pricing for details.
  • Global tables: For DynamoDB global tables, PITR must be enabled on each replica table separately.
  • On-demand backups: Consider combining PITR with on-demand backups for important milestones (e.g., before major releases) for longer retention.
  • Access controls: Implement least-privilege access to backup settings using IAM policies to prevent unauthorized changes to PITR configuration.