terraform.aws.security.aws-dynamodb-point-in-time-recovery-disabled.aws-dynamodb-point-in-time-recovery-disabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Point-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-dynamodb-point-in-time-recovery-disabled
    patterns:
      - pattern: |
          resource "aws_dynamodb_table" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_dynamodb_table" $ANYTHING {
            ...
            point_in_time_recovery {
              ...
              enabled = true
              ...
            }
            ...
          }
    message: Point-in-time recovery is not enabled for the DynamoDB table. DynamoDB
      tables should be protected against accidental or malicious write/delete
      actions. By enabling point-in-time-recovery you can restore to a known
      point in the event of loss of data.
    languages:
      - hcl
    severity: INFO
    metadata:
      category: security
      technology:
        - terraform
        - aws
      cwe:
        - "CWE-221: Information Loss or Omission"
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery
      owasp:
        - A09:2021 – Security Logging and Monitoring Failures
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Memory Issues

Examples

aws-dynamodb-point-in-time-recovery-disabled.tf

# ok: aws-dynamodb-point-in-time-recovery-disabled
resource "aws_dynamodb_table" "pass" {
  name     = "example"
  hash_key = "ExampleHashKey"

  attribute {
    name = "ExampleHashKey"
    type = "S"
  }

  point_in_time_recovery {
    enabled = true
  }
}

# ruleid: aws-dynamodb-point-in-time-recovery-disabled
resource "aws_dynamodb_table" "fail_1" {
  name     = "example"
  hash_key = "ExampleHashKey"

  attribute {
    name = "ExampleHashKey"
    type = "S"
  }
}

# ruleid: aws-dynamodb-point-in-time-recovery-disabled
resource "aws_dynamodb_table" "fail_2" {
  name     = "example"
  hash_key = "ExampleHashKey"

  attribute {
    name = "ExampleHashKey"
    type = "S"
  }

  point_in_time_recovery {
    enabled = false
  }
}