[Task]: Configure DynamoDB to Pass Security Hub Checks

[acouch]

Summary

Security Hub identifies two items for DynamoDB that need to be fixed:

• DynamoDB tables should have deletion protection enabled

This can likely be done by updating the existing settings.

This ticket is to fix those or identify ones that do not apply to our environment. This issue can be broken up into smaller tasks if desired by the implementer.

Acceptance criteria

• [ ] DynamoDB settings updated so security hub check passes

[jamesbursa]

Additional detail of these controls from Amazon DynamoDB controls - AWS Security Hub:

[DynamoDB.4] DynamoDB tables should be present in a backup plan

This control evaluates whether an Amazon DynamoDB table in ACTIVE state is covered by a backup plan. The control fails if the DynamoDB table isn't covered by a backup plan. If you set the backupVaultLockCheck parameter equal to true, the control passes only if the DynamoDB table is backed up in an AWS Backup locked vault.

[DynamoDB.6] DynamoDB tables should have deletion protection enabled

This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled.

You can protect a DynamoDB table from accidental deletion with the deletion protection property. Enabling this property for tables helps ensure that tables don't get accidentally deleted during regular table management operations by your administrators. This helps prevent disruption to your normal business operations.