Skip to main content
MEDIUMDynamoDBReliability

DynamoDB Point-in-Time Recovery Disabled

dynamodb-pitr-disabled

What this rule checks

Detects DynamoDB tables without Point-in-Time Recovery enabled. PITR provides continuous backups for the last 35 days and is required for SOC2 / HIPAA data resilience.

How to fix it

  1. 1Set PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled to true on the table
  2. 2Verify the AWS region supports PITR for your table type (Provisioned / On-Demand)
FlaggedThe table has no PointInTimeRecoverySpecification, so the PITR check fires. (A dedup fix now keeps this distinct from other DynamoDB cdkInsights findings.)
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';

// No Point-in-Time Recovery configured.
new dynamodb.Table(this, 'Table', {
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
});
FixedpointInTimeRecoverySpecification.pointInTimeRecoveryEnabled is true and server-side encryption is set, so PITR is enabled and no PITR finding — or encryption co-finding — is produced.
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';

// PITR enabled (continuous backups) and server-side encryption set so no
// co-finding rides along.
new dynamodb.Table(this, 'Table', {
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
  pointInTimeRecoverySpecification: {
    pointInTimeRecoveryEnabled: true,
  },
  encryption: dynamodb.TableEncryption.AWS_MANAGED,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::DynamoDB::TableAWS::DynamoDB::GlobalTable

Compliance frameworks

SOC2HIPAANIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate — a genuinely public endpoint, say. You can dismiss dynamodb-pitr-disabled and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "dynamodb-pitr-disabled", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::dynamodb-pitr-disabled',
  reason: 'Why this is intentional',
});

Use the rule ID dynamodb-pitr-disabled shown above — not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs →

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app — free, no account, your code never leaves your machine.

More DynamoDB rules