logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Lack of protection against deletion - DynamoDB - Aws

Need

Implementation of data backup and recovery mechanisms for DynamoDB instances

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Insecure Code Example

resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  hash_key       = "UserId"
  range_key      = "GameTitle"
  read_capacity  = 20
  write_capacity = 20

  attribute {
    name = "UserId"
    type = "N"
  }

  attribute {
    name = "GameTitle"
    type = "S"
  }
}

This code represents a DynamoDB table creation using Terraform. The table is named "GameScores" and it has two attributes, "UserId" (numeric type) and "GameTitle" (string type). The capacity for read and write operations is set to 20 units. However, this code is vulnerable due to the lack of protection against deletion. If the table is accidentally deleted, all the data it contains will be lost permanently, as there are no recovery points in time configured. The `aws_dynamodb_table` resource doesn't have any settings for backup or point-in-time recovery (PITR). This means that once the table is deleted, there's no way to recover the data. This could lead to serious consequences, especially if the table contains critical data. To fix this vulnerability, it would be necessary to enable the point-in-time recovery (PITR) option for the DynamoDB table. This can be done by adding the `point_in_time_recovery` block into the `aws_dynamodb_table` resource.

Steps

  1. Enable point-in-time recovery for the DynamoDB table
  2. Configure the recovery window to retain data for a sufficient period of time
  3. Regularly backup the DynamoDB table to a separate storage solution
  4. Implement access controls to prevent unauthorized deletion of the DynamoDB table

Secure Code Example

resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  hash_key       = "UserId"
  range_key      = "GameTitle"
  read_capacity  = 20
  write_capacity = 20
  point_in_time_recovery {
    enabled = true
  }

  attribute {
    name = "UserId"
    type = "N"
  }

  attribute {
    name = "GameTitle"
    type = "S"
  }
}

The updated code includes the `point_in_time_recovery` block with `enabled = true` within the `aws_dynamodb_table` resource. This enables the point-in-time recovery (PITR) feature for the DynamoDB table, which provides continuous backups of your table data for the last 35 days. This feature allows you to restore that table to any point in time during the last 35 days. This feature is crucial for protecting against accidental write or delete operations. If any unintended DML operation occurs, you can restore the table to a point in time before the operation took place. In addition to enabling PITR, it's also recommended to regularly backup the DynamoDB table to a separate storage solution and implement access controls to prevent unauthorized deletion of the DynamoDB table. These steps provide additional layers of protection for your data.

References

  • 259 - Lack of protection against deletion - DynamoDB

    • Last updated

    2023/09/18