Description:

You can create on-demand backups of your Amazon DynamoDB tables, or you can enable continuous backups using point-in-time recovery. Point-in-time recovery helps protect your DynamoDB tables from accidental write or delete operations. You don't have to worry about creating, maintaining, or scheduling on-demand backups with point-in-time recovery. You can use the DynamoDB on-demand backup capability to create full backups of your tables for long-term retention and archival for regulatory compliance needs.


Rational:

By encrypting all of your data at rest with encryption keys maintained in AWS Key Management Service (AWS KMS), DynamoDB encryption at rest provides greater security. This feature aids in reducing the operational burden and complexity of safeguarding sensitive data.


Impact:

With encryption at rest, DynamoDB transparently encrypts all customer data in a DynamoDB table, including its primary key and local and global secondary indexes, whenever the table is persisted to disk.


Remediation:

DynamoDB backups are automatically encrypted with the same encryption key that was used to encrypt the source DynamoDB table. It means if the DynamoDB table is encrypted, its backups are also automatically encrypted.

Delete the existing unencrypted backups and make DynamoDB table encryption first and then take backup.


To make the DynamoDB table encrypted follow the steps in the below documentation

Ensure DynamoDB Table Encrypted with KMS


Reference:

DynamoDB Backups - Amazon DynamoDB