Restore a Amazon DynamoDB table
Use the Amazon Backup console to restore DynamoDB recovery points
To restore a DynamoDB table
Open the Amazon Backup console at https://console.amazonaws.cn/backup
. -
In the navigation pane, choose Protected resources and the DynamoDB resource ID you want to restore.
-
On the Resource details page, a list of recovery points for the selected resource ID is shown. To restore a resource, in the Backups pane, choose the radio button next to the recovery point ID of the resource. In the upper-right corner of the pane, choose Restore.
-
For Settings, New table name text field, enter a new table name.
-
For Restore role, choose the IAM role that Amazon Backup will assume for this restore.
-
For Encryption settings:
-
If your backup is managed by DynamoDB (its ARN begins with
arn:aws:dynamodb
), Amazon Backup encrypts your restored table using an Amazon-owned key.To choose a different key to encrypt your restored table, you can either use the Amazon Backup StartRestoreJob operation or perform the restore from the DynamoDB console.
-
If your backup supports full Amazon Backup management (its ARN begins with
arn:aws:backup
), you can choose any of the following encryption options to protect your restored table:-
(Default) DynamoDB-owned KMS key (no additional charge for encryption)
-
DynamoDB-managed KMS key (KMS charges apply)
-
Customer-managed KMS key (KMS charges apply)
"DynamoDB-owned" and "DynamoDB-managed" keys are the same as "Amazon-owned" and "Amazon-managed" keys, respectively. For clarification, see Encryption at Rest: How It Works in the Amazon DynamoDB Developer Guide.
For more information about full Amazon Backup management, see Advanced DynamoDB backup.
-
Note
The following guidance applies only if you restore a copied backup AND want to encrypt the restored table with the same key you used to encrypt your original table.
When restoring a cross-Region backup, to encrypt your restored table using the same key you used to encrypt your original table, your key must be a multi-Region key. Amazon-owned and Amazon-managed keys are not multi-Region keys. To learn more, see Multi-Region keys in the Amazon Key Management Service Developer Guide.
When restoring a cross-account backup, to encrypt your restored table using the same key you used to encrypt your original table, you must share the key in your source account with your destination account. Amazon-owned and Amazon-managed keys cannot be shared between accounts. To learn more, see Allowing users in other accounts to use a KMS key in the Amazon Key Management Service Developer Guide.
-
-
Choose Restore backup.
The Restore jobs pane appears. A message at the top of the page provides information about the restore job.
Use the Amazon Backup API, CLI, or SDK to restore DynamoDB recovery points
Use StartRestoreJob
.
You can specify the following metadata during any DynamoDB restore. The
metadata is not case-sensitive.
targetTableName encryptionType kmsMasterKeyArn aws:backup:request-id
The following is an example of the restoreMetadata
argument for a
StartRestoreJob
operation in the CLI:
aws backup start-restore-job \ --recovery-point-arn "arn:aws:backup:us-east-1:123456789012:recovery-point:abcdef12-g3hi-4567-8cjk-012345678901" \ --iam-role-arn "arn:aws:iam::123456789012:role/YourIamRole" \ --metadata 'TargetTableName=TestRestoreTestTable,EncryptionType=KMS,KMSMasterKeyId=arn:aws:kms:us-east-1:123456789012:key/abcdefg' \ --region us-east-1 \ --endpoint-url https://endpointurl.com
The preceding example encrypts the restored table using an Amazon-owned key. The part
of the restore metadata that specifies encryption using the Amazon-owned key is:
\"encryptionType\":\"Default\","kmsMasterKeyArn\":\"Not
Applicable\"
.
To encrypt your restored table using an Amazon-managed key, specify the following
restore metadata: "encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"Not
Applicable\"
.
To encrypt your restored table using an customer-managed key, specify the following
restore metadata:
"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"
.arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
\"