Amazon DynamoDB Requirements and Considerations

Before you protect your DynamoDB using Cohesity Cloud Protection Service, ensure you have met the prerequisites and reviewed the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.

The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity Cloud Protection Service.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity Cloud Protection Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:

Ensure to add these permissions manually.

  • cloudformation:CreateChangeSet

  • cloudformation:CreateStack

  • cloudformation:CreateUploadBucket

  • cloudformation:DeleteStack

  • cloudformation:DescribeStackEvents

  • cloudformation:DescribeStackResources

  • cloudformation:DescribeStacks

  • cloudformation:GetTemplate

  • cloudformation:GetTemplateSummary

  • cloudformation:ListStackResources

  • cloudformation:ListStacks

  • cloudformation:UpdateStack

  • iam:AddRoleToInstanceProfile

  • iam:AttachRolePolicy

  • iam:CreateInstanceProfile

  • iam:CreateRole

  • iam:DeleteInstanceProfile

  • iam:DeleteRole

  • iam:DeleteRolePolicy

  • iam:DetachRolePolicy

  • iam:GetInstanceProfile

  • iam:GetRole

  • iam:GetRolePolicy

  • iam:PassRole

  • iam:PutRolePolicy

  • iam:RemoveRoleFromInstanceProfile

  • iam:TagRole

  • lambda:AddPermission

  • lambda:CreateFunction

  • lambda:DeleteFunction

  • lambda:InvokeFunction

  • lambda:RemovePermission

  • s3:CreateBucket

  • s3:GetObject

  • s3:ListBucket

  • s3:PutObject

  • s3: PutBucketPublicAccessBlock

Permissions for DynamoDB Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

 Reason
IAM iam:PassRole  
 

kms:CreateGrant

kms:DescribeKey

kms:Decrypt

kms:Encrypt

kms:ListAliases

kms:ListKeys

 KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Described permissions are needed for listing and identifying keys associated with database instances.
 

dynamodb:BatchWriteItem

dynamodb:DeleteItem

dynamodb:GetItem

dynamodb:PutItem

dynamodb:Query

dynamodb:RestoreTableToPointInTime

dynamodb:Scan

dynamodb:UpdateItem

dynamodb:CreateTable

dynamodb:UpdateTable

dynamodb:DescribeContinuousBackups

dynamodb:DescribeExport

dynamodb:DescribeImport

dynamodb:DescribeTable

dynamodb:ExportTableToPointInTime

dynamodb:ImportTable

dynamodb:ListTables

dynamodb:ListTagsOfResource

dynamodb:TagResource

dynamodb:UpdateContinuousBackups

 These permissions are required for backing up and recovering Amazon DynamoDB tables.
 

s3:CreateBucket

s3:GetBucketLocation

s3:PutBucketTagging

s3:DeleteBucket

s3:AbortMultipartUpload

s3:DeleteObject

s3:GetBucketVersioning

s3:GetObject

s3:GetObjectTagging

s3:GetObjectVersion

s3:ListBucket

s3:ListBucketMultipartUploads

s3:ListMultipartUploadParts

s3:PutObject

s3:PutObjectTagging

  
 

glue:CreateJob

glue:TagResource

glue:DeleteJob

glue:StartJobRun

glue:GetJobRun

  
 

logs:DescribeLogGroups

logs:CreateLogGroup

logs:CreateLogStream

logs:DescribeLogStreams

logs:GetLogEvents

logs:PutLogEvents

  

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Considerations

  • Protection of DynamoDB tables that contain float values in the partition key, sort key, or both is not supported.

  • You do not need to deploy a SaaS connection to protect Amazon DynamoDB tables.

  • Tables in Amazon DynamoDB can be protected across all regions in your AWS account.

  • During recovery, you can restore the Amazon DynamoDB tables to their original region; however, restoring a table with the same name as an existing table is not supported.

  • Cohesity supports Point-in-Time Recovery (PITR) of Amazon DynamoDB tables, provided that PITR was enabled on the table at the time of backup.

  • After you unprotect a DynamoDB table, you must manually disable PITR on that table in order to avoid unnecessary PITR retention and associated AWS costs.

  • For DynamoDB tables larger than 2.5 GB, you must increase the default Max task DPUs per account in the AWS region where the AWS Glue job runs. Contact your Cohesity account team to request an increase in the Max task DPUs per account.

  • Restore of Local Secondary Indexes (LSIs) is not supported when using snapshot-based protection. This is an AWS consideration for importing DynamoDB tables from Amazon S3.

  • Manually turning off Point-in-Time Recovery (PITR) for a table after a full backup will break the backup chain. As a result, subsequent incremental backups cannot be performed until a new full backup is completed.

  • Restoring a backup taken from a higher DynamoDB version to a lower version is not supported.