Restoring an Amazon DynamoDB table - AWS Backup

Restoring an Amazon DynamoDB table

Use the AWS Backup console to restore DynamoDB recovery points

To restore a DynamoDB table

  1. Open the AWS Backup console at https://console.aws.amazon.com/backup.

  2. In the navigation pane, choose Protected resources and the DynamoDB resource ID you want to restore.

  3. On the Resource details page, a list of recovery points for the selected resource ID is shown. To restore a resource, in the Backups pane, choose the radio button next to the recovery point ID of the resource. In the upper-right corner of the pane, choose Restore.

  4. For Settings, New table name text field, enter a new table name.

  5. For Restore role, choose the IAM role that AWS Backup will assume for this restore.

  6. For Encryption settings:

    1. If your backup is managed by DynamoDB (its ARN begins with arn:aws:dyanmodb), AWS Backup encrypts your restored table using an AWS-owned key.

      To choose a different key to encrypt your restored table, you can either use the AWS Backup StartRestoreJob operation or perform the restore from the DynamoDB console.

    2. If your backup supports full AWS Backup management (its ARN begins with arn:aws:backup), you can choose any of the following encryption options to protect your restored table:

      • (Default) DynamoDB-owned KMS key (no additional charge for encryption)

      • DynamoDB-managed KMS key (KMS charges apply)

      • Customer-managed KMS key (KMS charges apply)

      "DynamoDB-owned" and "DynamoDB-managed" keys are the same as "AWS-owned" and "AWS-managed" keys, respectively. For clarification, see Encryption at Rest: How It Works in the Amazon DynamoDB Developer Guide.

      For more information about full AWS Backup management, see Advanced DynamoDB backup.

    Note

    The following guidance applies only if you restore a copied backup AND want to encrypt the restored table with the same key you used to encrypt your original table.

    When restoring a cross-Region backup, to encrypt your restored table using the same key you used to encrypt your original table, your key must be a multi-Region key. AWS-owned and AWS-managed keys are not multi-Region keys. To learn more, see Multi-Region keys in the AWS Key Management Service Developer Guide.

    When restoring a cross-account backup, to encrypt your restored table using the same key you used to encrypt your original table, you must share the key in your source account with your destination account. AWS-owned and AWS-managed keys cannot be shared between accounts. To learn more, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide.

  7. Choose Restore backup.

    The Restore jobs pane appears. A message at the top of the page provides information about the restore job.

Use the AWS Backup API, CLI, or SDK to restore DynamoDB recovery points

Use StartRestoreJob. You can specify the following metadata during any DynamoDB restore:

originalTableName backupName backupArn primaryPartitionKey sortKey encryptionType kmsMasterKeyArn autoScaling stream secondaryIndicies indexName indexType projectedAttributes targetTableName

The following is an example of the restoreMetadata argument for a StartRestoreJob operation in the CLI:

"restoreMetadata": "{\"autoScaling\":\"Disabled\",\"encryptionType\":\"Default\",\"kmsMasterKeyArn\":\"Not Applicable\",\"secondaryIndices\":\"[]\",\"backupArn\":\"arn:aws:dynamodb:us-east-1:234567890123:table/simcher-loadtest-ScenariosTable-C4B1NQ3B92DU/backup/01616319501023-bc657c53\",\"sortKey\":\"-\",\"stream\":\"Disabled\",\"targetTableName\":null,\"originalTableName\":\"simcher-loadtest-ScenariosTable-C4B1NQ3B92DU\",\"backupName\":\"simcher-loadtest-ScenariosTable-C4B1NQ3B92DU-AwsBackup-2021-03-21T09.15.00Z-D2A6E00C-F3F8-AD99-A47D-8AA26EA38F01\",\"primaryPartitionKey\":\"testId\"}"

The preceding example encrypts the restored table using an AWS-owned key. The part of the restore metadata that specifies encryption using the AWS-owned key is: \"encryptionType\":\"Default\","kmsMasterKeyArn\":\"Not Applicable\".

To encrypt your restored table using an AWS-managed key, specify the following restore metadata: "encryptionType\":\"KMS\",\"keyArn\":\"Not Applicable\".

To encrypt your restored table using an customer-managed key, specify the following restore metadata: "encryptionType\":\"KMS\",\"keyArn\":\"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\".