Lack of protection against deletion - DynamoDB - Aws

Lack of protection against deletion - DynamoDB - Aws

Need

Implementation of data backup and recovery mechanisms for DynamoDB instances

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Non compliant code

        resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  hash_key       = "UserId"
  range_key      = "GameTitle"
  read_capacity  = 20
  write_capacity = 20

  attribute {
    name = "UserId"
    type = "N"
  }

  attribute {
    name = "GameTitle"
    type = "S"
  }
}
        
        

This code represents a DynamoDB table creation using Terraform. The table is named "GameScores" and it has two attributes, "UserId" (numeric type) and "GameTitle" (string type). The capacity for read and write operations is set to 20 units.

However, this code is vulnerable due to the lack of protection against deletion. If the table is accidentally deleted, all the data it contains will be lost permanently, as there are no recovery points in time configured.

The aws_dynamodb_table resource doesn't have any settings for backup or point-in-time recovery (PITR). This means that once the table is deleted, there's no way to recover the data. This could lead to serious consequences, especially if the table contains critical data.

To fix this vulnerability, it would be necessary to enable the point-in-time recovery (PITR) option for the DynamoDB table. This can be done by adding the point_in_time_recovery block into the aws_dynamodb_table resource.

Steps

  • Enable point-in-time recovery for the DynamoDB table
  • Configure the recovery window to retain data for a sufficient period of time
  • Regularly backup the DynamoDB table to a separate storage solution
  • Implement access controls to prevent unauthorized deletion of the DynamoDB table

Compliant code

        resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  hash_key       = "UserId"
  range_key      = "GameTitle"
  read_capacity  = 20
  write_capacity = 20
  point_in_time_recovery {
    enabled = true
  }

  attribute {
    name = "UserId"
    type = "N"
  }

  attribute {
    name = "GameTitle"
    type = "S"
  }
}
        
        

The updated code includes the point_in_time_recovery block with enabled = true within the aws_dynamodb_table resource. This enables the point-in-time recovery (PITR) feature for the DynamoDB table, which provides continuous backups of your table data for the last 35 days. This feature allows you to restore that table to any point in time during the last 35 days.

This feature is crucial for protecting against accidental write or delete operations. If any unintended DML operation occurs, you can restore the table to a point in time before the operation took place.

In addition to enabling PITR, it's also recommended to regularly backup the DynamoDB table to a separate storage solution and implement access controls to prevent unauthorized deletion of the DynamoDB table. These steps provide additional layers of protection for your data.

References