Terraform Point In Time Recovery Disabled

Description

Detects AWS DynamoDB tables configured without point-in-time recovery enabled in Terraform configurations. Point-in-time recovery provides continuous backups of DynamoDB table data, and when disabled, it increases the risk of data loss during incidents since you cannot restore the table to a specific point in time.

Weakness:

259 - Lack of protection against deletion - DynamoDB

Category: Functionality Abuse

Detection Strategy

• Inspects Terraform resource blocks defining AWS DynamoDB tables ('aws_dynamodb_table')

• Checks if point-in-time recovery configuration is explicitly disabled or missing

• Reports a security issue when a DynamoDB table resource is found without point-in-time recovery enabled

Vulnerable code example

resource "aws_dynamodb_table" "vulnerable_table" {
  name           = "MyTable"
  billing_mode   = "PROVISIONED"
  read_capacity  = 5
  write_capacity = 5
  hash_key       = "Id"

  point_in_time_recovery {...

✅ Secure code example

resource "aws_dynamodb_table" "secure_table" {
  name                        = "MyTable"
  billing_mode                = "PROVISIONED"
  read_capacity               = 5
  write_capacity              = 5
  hash_key                    = "Id"
  deletion_protection_enabled = true  # Protect against accidental deletion
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.