DynamoDB table is protected by a backup plan
dynamodb_table_protected_by_backup_plan
DynamoDB tables are evaluated for inclusion in an AWS Backup backup plan through resource assignments, including explicit tables, resource-type wildcards, or all-resources coverage.
The result indicates whether a table is governed by scheduled backups and retention defined by the plan.
Risk
Without a backup plan, table data lacks governed copies, harming availability and integrity. Accidental deletes, corrupt writes, or malicious actions can become unrecoverable, and RPO/RTO worsen. You also forfeit cross-Region/account copies and immutability features, increasing downtime and data loss.
prowler aws --checks dynamodb_table_protected_by_backup_plan
Recommendation
Place all critical tables under an AWS Backup backup plan following defense in depth and least privilege:
- Use tag-based assignments for coverage at scale
- Define schedules, retention, and cross-Region/account copies
- Enable Vault Lock for immutability
- Regularly test restores and restrict backup deletion
Remediation
- In the AWS Backup console, go to Settings > Configure resources and enable DynamoDB, then Confirm
- Go to Backup plans > Create backup plan > Build a new plan
- Enter a plan name, set Rule name to any value, set Backup vault to Default, and Create plan
- On the plan page, choose Assign resources
- Enter a Resource assignment name, set IAM role to Default role, select your DynamoDB table, and choose Assign resources
Source Code
Resource Type
AwsDynamoDbTable