AWS DynamoDB Point-in-Time Recovery Disabled

High Risk Infrastructure Security
awsdynamodbpitrbackupdata-recoverybusiness-continuitycomplianceterraformcloudformation

What it is

A significant availability and data integrity vulnerability where Amazon DynamoDB tables are configured without Point-in-Time Recovery (PITR), leaving the database vulnerable to permanent data loss from accidental deletions, corruption, or malicious attacks. Without PITR, there is no way to restore table data to any point within the last 35 days, making data recovery impossible after destructive operations. This can result in business continuity issues, compliance violations, and permanent loss of critical application data.

# VULNERABLE: DynamoDB table without PITR
resource "aws_dynamodb_table" "user_data" {
  name           = "user-data-table"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "user_id"
  
  attribute {
    name = "user_id"
    type = "S"
  }
  
  # VULNERABLE: No point_in_time_recovery block
  # Data cannot be recovered after accidental deletion
  
  tags = {
    Environment = "production"
  }
}
# SECURE: DynamoDB table with PITR enabled
resource "aws_dynamodb_table" "user_data" {
  name           = "user-data-table"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "user_id"
  
  attribute {
    name = "user_id"
    type = "S"
  }
  
  # SECURE: Enable Point-in-Time Recovery
  point_in_time_recovery {
    enabled = true
  }
  
  tags = {
    Environment = "production"
  }
}

💡 Why This Fix Works

The vulnerable examples show DynamoDB tables created without Point-in-Time Recovery, leaving them vulnerable to permanent data loss. The secure alternatives demonstrate proper PITR configuration, encryption, deletion protection, monitoring, and backup strategies to ensure data can be recovered from accidental deletion or corruption.

Why it happens

Development teams create DynamoDB tables without enabling Point-in-Time Recovery, often due to cost concerns or lack of awareness about data protection requirements. PITR is disabled by default and must be explicitly enabled, leading many tables to operate without continuous backup protection. This commonly occurs in development environments that later become production systems.

Root causes

DynamoDB Table Without PITR Configuration

Development teams create DynamoDB tables without enabling Point-in-Time Recovery, often due to cost concerns or lack of awareness about data protection requirements. PITR is disabled by default and must be explicitly enabled, leading many tables to operate without continuous backup protection. This commonly occurs in development environments that later become production systems.

Infrastructure Code Missing PITR Settings

Terraform and CloudFormation templates that define DynamoDB tables without the point_in_time_recovery block or PointInTimeRecoverySpecification property. This oversight often happens when using basic table configurations or when copying examples that don't include backup and recovery best practices. Teams may forget to add PITR when migrating from development to production environments.

Fixes

1

Enable Point-in-Time Recovery

Configure PITR on all DynamoDB tables by setting point_in_time_recovery { enabled = true } in Terraform or PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled: true in CloudFormation. This provides continuous backups for the previous 35 days and enables recovery to any point in time within that window.

2

Implement Backup and Recovery Strategy

Develop a comprehensive backup strategy that includes both PITR and on-demand backups for long-term retention. Create documented recovery procedures, test restoration processes regularly, and ensure that backup retention periods meet business and compliance requirements. Consider cross-region backup replication for disaster recovery scenarios.

3

Automate Backup Monitoring and Alerts

Set up CloudWatch alarms and monitoring to track PITR status and backup health. Create alerts for backup failures, restoration activities, or when PITR is disabled on critical tables. Implement automated compliance checking to ensure all production tables have appropriate backup configurations enabled.

Detect This Vulnerability in Your Code

Sourcery automatically identifies aws dynamodb point-in-time recovery disabled and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities