Amazon DynamoDB Requirements and Considerations

Before you protect your DynamoDB using Cohesity DataProtect as a Service, ensure you have met the prerequisites and reviewed the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.

The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity DataProtect as a Service.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity DataProtect as a Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:

Ensure to add these permissions manually.

  • cloudformation:CreateChangeSet

  • cloudformation:CreateStack

  • cloudformation:CreateUploadBucket

  • cloudformation:DeleteStack

  • cloudformation:DescribeStackEvents

  • cloudformation:DescribeStackResources

  • cloudformation:DescribeStacks

  • cloudformation:GetTemplate

  • cloudformation:GetTemplateSummary

  • cloudformation:ListStackResources

  • cloudformation:ListStacks

  • cloudformation:UpdateStack

  • iam:AddRoleToInstanceProfile

  • iam:AttachRolePolicy

  • iam:CreateInstanceProfile

  • iam:CreateRole

  • iam:DeleteInstanceProfile

  • iam:DeleteRole

  • iam:DeleteRolePolicy

  • iam:DetachRolePolicy

  • iam:GetInstanceProfile

  • iam:GetRole

  • iam:GetRolePolicy

  • iam:PassRole

  • iam:PutRolePolicy

  • iam:RemoveRoleFromInstanceProfile

  • iam:TagRole

  • lambda:AddPermission

  • lambda:CreateFunction

  • lambda:DeleteFunction

  • lambda:InvokeFunction

  • lambda:RemovePermission

  • s3:CreateBucket

  • s3:GetObject

  • s3:ListBucket

  • s3:PutObject

  • s3: PutBucketPublicAccessBlock

Permissions for DynamoDB Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

 Reason
IAM iam:PassRole  
 

kms:CreateGrant

kms:DescribeKey

kms:Decrypt

kms:Encrypt

kms:ListAliases

kms:ListKeys

 KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances.
 

dynamodb:BatchWriteItem

dynamodb:DeleteItem

dynamodb:GetItem

dynamodb:PutItem

dynamodb:Query

dynamodb:RestoreTableToPointInTime

dynamodb:Scan

dynamodb:UpdateItem

dynamodb:CreateTable

dynamodb:DescribeContinuousBackups

dynamodb:DescribeExport

dynamodb:DescribeImport

dynamodb:DescribeTable

dynamodb:ExportTableToPointInTime

dynamodb:ImportTable

dynamodb:ListTables

dynamodb:ListTagsOfResource

dynamodb:TagResource

dynamodb:UpdateContinuousBackups

 These permissions are required for backing up and recovering Amazon DynamoDB tables.
 

s3:CreateBucket

s3:GetBucketLocation

s3:PutBucketTagging

s3:DeleteBucket

s3:AbortMultipartUpload

s3:DeleteObject

s3:GetBucketVersioning

s3:GetObject

s3:GetObjectTagging

s3:GetObjectVersion

s3:ListBucket

s3:ListBucketMultipartUploads

s3:ListMultipartUploadParts

s3:PutObject

s3:PutObjectTagging

  
 

glue:CreateJob

glue:TagResource

glue:DeleteJob

glue:StartJobRun

glue:GetJobRun

  
 

logs:DescribeLogGroups

logs:CreateLogGroup

logs:CreateLogStream

logs:DescribeLogStreams

logs:GetLogEvents

logs:PutLogEvents

  

*If you want to use a KMS key belonging to a different AWS account, then perform the steps described in the AWS documentation.

Considerations

  • You do not need to deploy a SaaS connection to protect Amazon DynamoDB tables.

  • Tables in Amazon DynamoDB can be protected across all regions in your AWS account.

  • During recovery, you can restore the Amazon DynamoDB tables to their original region; however, restoring a table with the same name as an existing table is not supported.

  • Cohesity supports Point-in-Time Recovery (PITR) of Amazon DynamoDB tables, provided that PITR was enabled on the table at the time of backup.

  • For DynamoDB tables larger than 800 GB, you must increase the default Max task DPUs per account in the AWS region where the AWS Glue job runs.