Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating exposures for DynamoDB tables

Amazon Security Hub can generate exposure findings for DynamoDB tables.

On the Security Hub console, the DynamoDB table involved in an exposure finding and its identifying information are listed in the Resources section of the finding details. Programmatically, you can retrieve resource details with the GetFindingsV2 operation of the Security Hub CSPM API.

After identifying the resource involved in an exposure finding, you can delete the resource if you don't need it. Deleting a nonessential resource can reduce your exposure profile and Amazon costs. If the resource is essential, follow these recommended remediation steps to help mitigate the risk. The remediation topics are divided based on the type of trait.

A single exposure finding contains issues identified in multiple remediation topics. Conversely, you can address an exposure finding and bring down its severity level by addressing just one remediation topic. Your approach to risk remediation depends on your organizational requirements and workloads.

Misconfiguration traits in DynamoDB

The following describes the misconfiguration traits and remediation steps for DynamoDB tables.

The DynamoDB table has point-in-time recovery disabled

Enable DynamoDB point-in-time recovery

DynamoDB point-in-time recovery provides continuous automated backups for your DynamoDB table data. For information about how to restore a DynamoDB table to a point in time, see Restoring a DynamoDB table to a point in time in the Amazon DynamoDB User Guide.

The DynamoDB table is not covered by a backup plan

Amazon Backup provides a centralized service to configure, manage, and automate backups across Amazon services, including DynamoDB. Without a backup plan, your table lacks scheduled, automated backups with customizable retention periods, creating significant security risks. An attacker could maliciously corrupt or delete your table data. Without proper backups, you may have no recovery option beyond the Point-in-Time Recovery window (if enabled), potentially resulting in permanent data loss. Following data protection best practices, we recommend covering your DynamoDB tables with a backup plan.

Create a backup plan

Before creating a backup plan, determine an appropriate backup frequency and retention periods for your data. For information about how to create a backup plan, see Assign resources to a backup plan in the Amazon DynamoDB User Guide.

The DynamoDB table has deletion protection disabled

Deletion protection prevents the accidental deletion of DynamoDB tables. When deletion protection is disabled, DynamoDB tables are vulnerable to unintended deletion through console actions, API calls, CLI commands, or automated processes. This can expose your Amazon environment to data loss, as an unauthorized entity with access to your Amazon environment could intentionally delete tables, resulting in service disruption and permanent data loss. Following data protection best practices, we recommend enabling data protection for DynamoDB tables.

Enable deletion protection

If you manage multiple tables, consider using Amazon CloudFormation to update table properties in bulk. You can modify your Amazon CloudFormation templates to include DeletionProtectionEnabled property and update your stacks. After completing remediation, verify deletion protection is enabled in the Additional info dropdown in the table Settings tab.