Drata validates that each DynamoDB table has point-in-time recovery status set to enabled.
Prerequisites
This test requires an additional permission: '
backup:ListRecoveryPointsByResource' which is not a default permission within the SecurityAudit policy on the DrataAutoPilot role.To add the required permission to the DrataAutoPilot role.
Navigate to the DrataAutoPilot role in IAM Console.
Add an inline policy to the role.
In the policy editor, choose JSON to add permissions manually and paste the following JSON for the
backup:ListRecoveryPointsByResourcepermission needed for this test:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "backup:ListRecoveryPointsByResource" ],
"Resource": "*"
}
]
}Give this inline policy a name and add it to the DrataAutoPilot role.
ASSOCIATED DRATA CONTROL
This test is part of the System Monitoring (DCF-86) that ensures production systems and resources are monitored and automated alerts are sent out personnel based on pre-configured rules. Events are triaged to determine if they constitute an incident and escalated per policy if necessary.
WHAT TO DO IF A TEST FAILS
If Drata detects that it appears that one or more AWS DynamoDB tables do not have point-in-time recovery status set to enabled, your test will fail. To remediate a failed test:
1. Sign into the AWS Management console and navigate to DynamoDB.
2. Select a table that is failing this test.
3. Go to the 'Backups' tab and enable 'Point-In-Time Recovery' .
4. Confirm the action and repeat for each failing DynamoDB table.