Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Time To Live (TTL)

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Time To Live (TTL) feature is enabled and configured for your Amazon DynamoDB tables in order to automate data expiration, reduce storage costs, and ensure data relevance.

Cost
optimisation

Time To Live (TTL) offers a cost-efficient approach to purging outdated data in Amazon DynamoDB. TTL empowers you to assign an expiration timestamp to each item, effectively marking it for deletion when it ceases to be relevant. To ensure that your storage costs remain optimized, Amazon DynamoDB automatically removes expired items within a few days of their expiration without consuming any write throughput.


Audit

To determine if Time To Live (TTL) feature is enabled for your Amazon DynamoDB tables, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to examine.

05 Select the Additional settings tab to access the additional settings available for the selected table.

06 In the Time to Live (TTL) section, check the TTL status configuration attribute value. If TTL status is set to Off, the Time To Live (TTL) feature is not enabled for the selected Amazon DynamoDB table.

07 Repeat steps no. 4 – 6 for each Amazon DynamoDB table available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon DynamoDB table created in the selected AWS cloud region:

aws dynamodb list-tables
  --region us-east-1
  --output table
  --query 'TableNames'

02 The command output should return a table with the requested table name(s):

--------------------------
|       ListTables       |
+------------------------+
|  cc-product-reviews    |
|  cc-product-inventory  |
+------------------------+

03 Run describe-time-to-live command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to examine as the identifier parameter and custom query filters to return the Time To Live (TTL) feature status for the selected table:

aws dynamodb describe-time-to-live
  --region us-east-1 
  --table-name cc-product-reviews 
  --query 'TimeToLiveDescription.TimeToLiveStatus'

04 The command output should the feature status for the selected table:

"DISABLED"

If the describe-time-to-live command output returns "DISABLED", as shown in the output example above, the Time To Live (TTL) feature is not enabled for the selected Amazon DynamoDB table.

05 Repeat steps no. 3 and 4 for each DynamoDB table available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable and configure the Time To Live (TTL) feature for your existing Amazon DynamoDB tables, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to configure.

05 Select the Additional settings tab to access the additional settings available for the selected table.

06 Choose Turn on from the Time to Live (TTL) section to initiate the process.

07 On the Turn on Time to Live (TTL) setup page, perform the following actions:

  1. To use the feature, Amazon DynamoDB requires you to identify a specific attribute name that the service will look for when determining if an item is eligible for expiration. Provide the required attribute name in the TTL attribute name box, in the TTL settings section. The attribute name is case sensitive and must match the attribute defined in your read and write operations.
  2. (Optional) In the Preview section, select the date and time to simulate which items would be expired, then choose Run preview to perform the test. The sample list returned in the Items to be deleted section serves as evidence that there are items containing the TTL attribute name provided along with the expiration time.
  3. Choose Turn on TTL to enable the Time To Live (TTL) feature for the selected Amazon DynamoDB table. After the feature is enabled, the TTL attribute is marked TTL when you view your items on the Amazon DynamoDB console.

08 Repeat steps no. 4 – 7 for each Amazon DynamoDB table that you want to configure, available in the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-time-to-live command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to configure as the identifier parameter, to enable the Time To Live (TTL) feature for the selected DynamoDB table. Replace [ttl-attribute-name] with the name of the attribute that will store the TTL expiration time for items in the selected table. The attribute name is case sensitive and must match the attribute defined in your read and write operations:

aws dynamodb update-time-to-live
  --region us-east-1
  --table-name cc-product-reviews
  --time-to-live-specification "Enabled=true, AttributeName=[ttl-attribute-name]"

02 The command output should return the Time To Live (TTL) feature configuration for the selected table:

{
	"TimeToLiveSpecification": {
		"Enabled": true,
		"AttributeName": "[ttl-attribute-name]"
	}
}

03 Repeat steps no. 1 and 2 for each Amazon DynamoDB table that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jan 11, 2024