Lack of protection against deletion - DynamoDB - Cloudformation

Need

Implementation of data backup and recovery mechanisms for DynamoDB instances

Context

Usage of AWS CloudFormation for Infrastructure as Code (IaC)
Usage of AWS SDK for interacting with Amazon Web Services (AWS) services

Description

Insecure Code Example

Resources:
  BasicDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: GameScores
      AttributeDefinitions:
        - AttributeName: UserId
          AttributeType: N
        - AttributeName: GameTitle
          AttributeType: S
      KeySchema:
        - AttributeName: UserId
          KeyType: HASH
        - AttributeName: GameTitle
          KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: 20
        WriteCapacityUnits: 20

This code represents a DynamoDB table creation using CloudFormation. The table is named "GameScores" and it has two attributes, "UserId" (numeric type) and "GameTitle" (string type). The provisioned throughput is set to 20 read and 20 write capacity units. However, this code is vulnerable due to the lack of protection against deletion. If the table is accidentally deleted, all the data it contains will be lost permanently, as there are no recovery points in time configured. The `AWS::DynamoDB::Table` resource doesn't have any settings for backup or point-in-time recovery (PITR). This means that once the table is deleted, there's no way to recover the data. This could lead to serious consequences, especially if the table contains critical data. To fix this vulnerability, it would be necessary to enable the point-in-time recovery (PITR) option for the DynamoDB table. This can be done by adding the `PointInTimeRecoverySpecification` property to the `AWS::DynamoDB::Table` resource.

Steps

Enable point-in-time recovery for the DynamoDB table
Configure the recovery window to retain data for a sufficient period of time
Regularly backup the DynamoDB table to a separate storage solution
Implement access controls to prevent unauthorized deletion of the DynamoDB table

Secure Code Example

Resources:
  BasicDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: GameScores
      AttributeDefinitions:
        - AttributeName: UserId
          AttributeType: N
        - AttributeName: GameTitle
          AttributeType: S
      KeySchema:
        - AttributeName: UserId
          KeyType: HASH
        - AttributeName: GameTitle
          KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: 20
        WriteCapacityUnits: 20
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true

The updated code includes the `PointInTimeRecoverySpecification` block with `PointInTimeRecoveryEnabled: true` in the `AWS::DynamoDB::Table` resource. This enables point-in-time recovery (PITR) for the DynamoDB table, which provides continuous backups of your table data for the last 35 days. This feature allows you to restore the table to any point in time during the last 35 days. This feature is crucial for protecting against accidental write or delete operations. If any unintended DML operation occurs, you can restore the table to a point in time before the operation took place. In addition to enabling PITR, it's also recommended to regularly backup the DynamoDB table to a separate storage solution and implement access controls to prevent unauthorized deletion of the DynamoDB table. These steps provide additional layers of protection for your data.

References

259 - Lack of protection against deletion - DynamoDB

Last updated

2025/04/04