DynamoDB Table Point In Time Recovery Disabled

  • Query id: 741f1291-47ac-4a85-a07b-3d32a9d6bd3e
  • Query name: DynamoDB Table Point In Time Recovery Disabled
  • Platform: Terraform
  • Severity: Info
  • Category: Best Practices
  • URL: Github


It's considered a best practice to have point in time recovery enabled for DynamoDB Table

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "GameTitle"

  point_in_time_recovery {
   enabled = false

  attribute {
    name = "UserId"
    type = "S"

  attribute {
    name = "GameTitle"
    type = "S"

  attribute {
    name = "TopScore"
    type = "N"

  ttl {
    attribute_name = "TimeToExist"
    enabled        = false

  global_secondary_index {
    name               = "GameTitleIndex"
    hash_key           = "GameTitle"
    range_key          = "TopScore"
    write_capacity     = 10
    read_capacity      = 10
    projection_type    = "INCLUDE"
    non_key_attributes = ["UserId"]

  tags = {
    Name        = "dynamodb-table-1"
    Environment = "production"
Positive test num. 2 - tf file
resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "GameTitle"

  attribute {
    name = "UserId"
    type = "S"

  attribute {
    name = "GameTitle"
    type = "S"

  attribute {
    name = "TopScore"
    type = "N"

  ttl {
    attribute_name = "TimeToExist"
    enabled        = false

  global_secondary_index {
    name               = "GameTitleIndex"
    hash_key           = "GameTitle"
    range_key          = "TopScore"
    write_capacity     = 10
    read_capacity      = 10
    projection_type    = "INCLUDE"
    non_key_attributes = ["UserId"]

  tags = {
    Name        = "dynamodb-table-1"
    Environment = "production"

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_dynamodb_table" "basic-dynamodb-table" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "GameTitle"

  point_in_time_recovery {
   enabled = true

  attribute {
    name = "UserId"
    type = "S"

  attribute {
    name = "GameTitle"
    type = "S"

  attribute {
    name = "TopScore"
    type = "N"

  ttl {
    attribute_name = "TimeToExist"
    enabled        = false

  global_secondary_index {
    name               = "GameTitleIndex"
    hash_key           = "GameTitle"
    range_key          = "TopScore"
    write_capacity     = 10
    read_capacity      = 10
    projection_type    = "INCLUDE"
    non_key_attributes = ["UserId"]

  tags = {
    Name        = "dynamodb-table-1"
    Environment = "production"