AWS DynamoDB Point-in-Time Recovery (PITR) Disabled (CKV_AWS_28)

High Risk Infrastructure Security
awsdynamodbbackupdisaster-recoverydata-protectionpitrpoint-in-time-recoveryterraformcloudformationcheckovckv-aws-28

What it is

A critical availability and data protection vulnerability where Amazon DynamoDB tables are created without Point-in-Time Recovery (PITR) enabled. This leaves databases vulnerable to permanent data loss from accidental deletions, malicious attacks, or application bugs. Without PITR, there is no continuous backup mechanism to restore data to any point within the retention period, making it impossible to recover from destructive changes or corruption.

# VULNERABLE: DynamoDB table without PITR (CKV_AWS_28 violation)
resource "aws_dynamodb_table" "user_sessions" {
  name           = "user-sessions"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "session_id"
  
  attribute {
    name = "session_id"
    type = "S"
  }
  
  attribute {
    name = "user_id"
    type = "S"
  }
  
  global_secondary_index {
    name     = "user-index"
    hash_key = "user_id"
  }
  
  # VULNERABLE: Missing point_in_time_recovery configuration
  # No continuous backups - data loss risk
  
  tags = {
    Environment = "production"
  }
}

# VULNERABLE: CloudFormation without PITR
Resources:
  UserSessionsTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: user-sessions
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: session_id
          AttributeType: S
      KeySchema:
        - AttributeName: session_id
          KeyType: HASH
      GlobalSecondaryIndexes:
        - IndexName: user-index
          KeySchema:
            - AttributeName: user_id
              KeyType: HASH
      # VULNERABLE: Missing PointInTimeRecoverySpecification
      Tags:
        - Key: Environment
          Value: production
# SECURE: DynamoDB table with PITR enabled (CKV_AWS_28 compliant)
resource "aws_dynamodb_table" "user_sessions" {
  name           = "user-sessions"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "session_id"
  
  attribute {
    name = "session_id"
    type = "S"
  }
  
  attribute {
    name = "user_id"
    type = "S"
  }
  
  global_secondary_index {
    name     = "user-index"
    hash_key = "user_id"
  }
  
  # SECURE: Enable Point-in-Time Recovery for data protection
  point_in_time_recovery {
    enabled = true
  }
  
  tags = {
    Environment = "production"
    Service     = "authentication"
  }
}

# SECURE: CloudFormation with PITR enabled
Resources:
  UserSessionsTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: user-sessions
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: session_id
          AttributeType: S
        - AttributeName: user_id
          AttributeType: S
      KeySchema:
        - AttributeName: session_id
          KeyType: HASH
      GlobalSecondaryIndexes:
        - IndexName: user-index
          KeySchema:
            - AttributeName: user_id
              KeyType: HASH
          Projection:
            ProjectionType: ALL
      # SECURE: Enable Point-in-Time Recovery
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      Tags:
        - Key: Environment
          Value: production
        - Key: Service
          Value: authentication

💡 Why This Fix Works

The vulnerable examples show DynamoDB tables created without Point-in-Time Recovery, violating CKV_AWS_28 and leaving data vulnerable to permanent loss. The secure implementations enable PITR and include encryption for comprehensive data protection.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

These AWS CLI commands demonstrate how to check PITR status, enable PITR on existing tables, and perform point-in-time recovery operations to restore data from specific timestamps.

Why it happens

DynamoDB tables are created using default settings that do not enable Point-in-Time Recovery. This commonly occurs when developers focus on functionality over data protection, or when working with development/testing environments where backup strategies are not prioritized. PITR must be explicitly enabled and is not part of the default table configuration.

Root causes

Default DynamoDB Configuration Without PITR

DynamoDB tables are created using default settings that do not enable Point-in-Time Recovery. This commonly occurs when developers focus on functionality over data protection, or when working with development/testing environments where backup strategies are not prioritized. PITR must be explicitly enabled and is not part of the default table configuration.

Missing Backup Strategy in Infrastructure Code

Infrastructure as Code templates (Terraform, CloudFormation) define DynamoDB tables without including point_in_time_recovery configuration blocks or PointInTimeRecoverySpecification properties. This often happens when using basic examples or when disaster recovery requirements are not clearly communicated to development teams.

Cost Optimization Without Risk Assessment

Organizations disable PITR to reduce costs without properly assessing the risk of data loss. While PITR does incur additional charges, the cost of data loss and recovery efforts typically far exceeds the backup costs. This often occurs when cost optimization is prioritized over data protection.

Fixes

1

Enable Point-in-Time Recovery

Configure PITR on all production DynamoDB tables by setting point_in_time_recovery { enabled = true } in Terraform or PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled: true in CloudFormation. This provides continuous backups for up to 35 days, allowing restoration to any specific point in time within the retention window.

2

Implement Backup Policy Enforcement

Create organizational policies using AWS Config rules, Service Control Policies (SCPs), or infrastructure scanning tools like Checkov to automatically detect and require PITR on all DynamoDB tables. Establish governance processes that prevent table creation without appropriate backup configurations.

3

Document Recovery Procedures

Create documented procedures for using PITR to recover data, including how to restore tables to specific timestamps, handle cross-region recovery scenarios, and coordinate with application teams during recovery operations. Test recovery procedures regularly to ensure they work as expected.

Detect This Vulnerability in Your Code

Sourcery automatically identifies aws dynamodb point-in-time recovery (pitr) disabled (ckv_aws_28) and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities