# Use point-in-time recovery in Amazon Keyspaces
With Amazon Keyspaces (for Apache Cassandra), you can restore tables to a specific point in time using Point-in-Time Restore (PITR). PITR enables you to restore a table to a prior state within the last 35 days, providing data protection and recovery capabilities. This feature is valuable in cases such as accidental data deletion, application errors, or for testing purposes. You can quickly and efficiently recover data, minimizing downtime and data loss. The following sections guide you through the process of restoring tables using PITR in Amazon Keyspaces, ensuring data integrity and business continuity.
**Topics**
+ [Configure restore table IAM permissions for Amazon Keyspaces PITR](howitworks_restore_permissions.md)
+ [Configure PITR for a table in Amazon Keyspaces](configure_PITR.md)
+ [Turn off PITR for an Amazon Keyspaces table](disable_PITR.md)
+ [Restore a table from backup to a specified point in time in Amazon Keyspaces](restoretabletopointintime.md)
+ [Restore a deleted table using Amazon Keyspaces PITR](restoredeleted.md)
# Configure restore table IAM permissions for Amazon Keyspaces PITR
This section summarizes how to configure permissions for an AWS Identity and Access Management (IAM) principal to restore Amazon Keyspaces tables. In IAM, the AWS managed policy `AmazonKeyspacesFullAccess` includes the permissions to restore Amazon Keyspaces tables. To implement a custom policy with minimum required permissions, consider the requirements outlined in the next section.
To successfully restore a table, the IAM principal needs the following minimum permissions:
+ `cassandra:Restore` – The restore action is required for the target table to be restored.
+ `cassandra:Select` – The select action is required to read from the source table.
+ `cassandra:TagResource` – The tag action is optional, and only required if the restore operation adds tags.
This is an example of a policy that grants minimum required permissions to a user to restore tables in keyspace `mykeyspace`.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:Restore",
"cassandra:Select"
],
"Resource":[
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/*",
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
]
}
]
}
```
Additional permissions to restore a table might be required based on other selected features. For example, if the source table is encrypted at rest with a customer managed key, Amazon Keyspaces must have permissions to access the customer managed key of the source table to successfully restore the table. For more information, see [PITR restore of encrypted tables](PointInTimeRecovery_HowItWorks.md#howitworks_backup_encryption).
If you are using IAM policies with [condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) to restrict incoming traffic to specific sources, you must ensure that Amazon Keyspaces has permission to perform a restore operation on your principal's behalf. You must add an `aws:ViaAWSService` condition key to your IAM policy if your policy restricts incoming traffic to any of the following:
+ VPC endpoints with `aws:SourceVpce`
+ IP ranges with `aws:SourceIp`
+ VPCs with `aws:SourceVpc`
The `aws:ViaAWSService` condition key allows access when any AWS service makes a request using the principal's credentials. For more information, see [IAM JSON policy elements: Condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
The following is an example of a policy that restricts source traffic to a specific IP address and allows Amazon Keyspaces to restore a table on the principal's behalf.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CassandraAccessForCustomIp",
"Effect":"Allow",
"Action":"cassandra:*",
"Resource":"*",
"Condition":{
"Bool":{
"aws:ViaAWSService":"false"
},
"ForAnyValue:IpAddress":{
"aws:SourceIp":[
"123.45.167.89"
]
}
}
},
{
"Sid":"CassandraAccessForAwsService",
"Effect":"Allow",
"Action":"cassandra:*",
"Resource":"*",
"Condition":{
"Bool":{
"aws:ViaAWSService":"true"
}
}
}
]
}
```
For an example policy using the `aws:ViaAWSService` global condition key, see [VPC endpoint policies and Amazon Keyspaces point-in-time recovery (PITR)](vpc-endpoints.md#VPC_PITR_restore).
# Configure PITR for a table in Amazon Keyspaces
You can configure a table in Amazon Keyspaces for backup and restore operations using PITR with the console, CQL, and the AWS CLI.
When creating a new table using CQL or the AWS CLI, you must explicitly enable PITR in the create table statement. When you create a new table using the console, PITR will be enable by default.
To learn how to restore a table, see [Restore a table from backup to a specified point in time in Amazon Keyspaces](restoretabletopointintime.md).
------
#### [ Console ]
**Configure PITR for a table using the console**
1. Sign in to the AWS Management Console, and open the Amazon Keyspaces console at [https://console.aws.amazon.com/keyspaces/home](https://console.aws.amazon.com/keyspaces/home).
1. In the navigation pane, choose **Tables** and select the table you want to edit.
1. On the **Backups** tab, choose **Edit**.
1. In the **Edit point-in-time recovery settings** section, select **Enable Point-in-time recovery**.
1. Choose **Save changes**.
------
#### [ Cassandra Query Language (CQL) ]
**Configure PITR for a table using CQL**
1. You can manage PITR settings for tables by using the `point_in_time_recovery` custom property.
To enable PITR when you're creating a new table, you must set the status of `point_in_time_recovery` to `enabled`. You can use the following CQL command as an example.
```
CREATE TABLE "my_keyspace1"."my_table1"(
"id" int,
"name" ascii,
"date" timestamp,
PRIMARY KEY("id"))
WITH CUSTOM_PROPERTIES = {
'capacity_mode':{'throughput_mode':'PAY_PER_REQUEST'},
'point_in_time_recovery':{'status':'enabled'}
}
```
**Note**
If no point-in-time recovery custom property is specified, point-in-time recovery is disabled by default.
1. To enable PITR for an existing table using CQL, run the following CQL command.
```
ALTER TABLE mykeyspace.mytable
WITH custom_properties = {'point_in_time_recovery': {'status': 'enabled'}}
```
------
#### [ CLI ]
**Configure PITR for a table using the AWS CLI**
1. You can manage PITR settings for tables by using the `UpdateTable` API.
To enable PITR when you're creating a new table, you must include `point-in-time-recovery 'status=ENABLED'` in the create table command. You can use the following AWS CLI command as an example. The command has been broken into separate lines to improve readability.
```
aws keyspaces create-table --keyspace-name 'myKeyspace' --table-name 'myTable'
--schema-definition 'allColumns=[{name=id,type=int},{name=name,type=text},{name=date,type=timestamp}],partitionKeys=[{name=id}]'
--point-in-time-recovery 'status=ENABLED'
```
**Note**
If no point-in-time recovery value is specified, point-in-time recovery is disabled by default.
1. To confirm the point-in-time recovery setting for a table, you can use the following AWS CLI command.
```
aws keyspaces get-table --keyspace-name 'myKeyspace' --table-name 'myTable'
```
1. To enable PITR for an existing table using the AWS CLI, run the following command.
```
aws keyspaces update-table --keyspace-name 'myKeyspace' --table-name 'myTable' --point-in-time-recovery 'status=ENABLED'
```
------
# Turn off PITR for an Amazon Keyspaces table
You can turn off PITR for an Amazon Keyspaces table at any time using the console, CQL, or the AWS CLI.
**Important**
Disabling PITR deletes your backup history immediately, even if you reenable PITR on the table within 35 days.
To learn how to restore a table, see [Restore a table from backup to a specified point in time in Amazon Keyspaces](restoretabletopointintime.md).
------
#### [ Console ]
**Disable PITR for a table using the console**
1. Sign in to the AWS Management Console, and open the Amazon Keyspaces console at [https://console.aws.amazon.com/keyspaces/home](https://console.aws.amazon.com/keyspaces/home).
1. In the navigation pane, choose **Tables** and select the table you want to edit.
1. On the **Backups** tab, choose **Edit**.
1. In the **Edit point-in-time recovery settings** section, clear the **Enable Point-in-time recovery** check box.
1. Choose **Save changes**.
------
#### [ Cassandra Query Language (CQL) ]
**Disable PITR for a table using CQL**
+ To disable PITR for an existing table, run the following CQL command.
```
ALTER TABLE mykeyspace.mytable
WITH custom_properties = {'point_in_time_recovery': {'status': 'disabled'}}
```
------
#### [ CLI ]
**Disable PITR for a table using the AWS CLI**
+ To disable PITR for an existing table, run the following AWS CLI command.
```
aws keyspaces update-table --keyspace-name 'myKeyspace' --table-name 'myTable' --point-in-time-recovery 'status=DISABLED'
```
------
# Restore a table from backup to a specified point in time in Amazon Keyspaces
The following section demonstrates how to restore an existing Amazon Keyspaces table to a specified point in time.
**Note**
This procedure assumes that the table you're using has been configured with point-in-time recovery. To enable PITR for a table, see [Configure PITR for a table in Amazon Keyspaces](configure_PITR.md).
**Important**
While a restore is in progress, don't modify or delete the AWS Identity and Access Management (IAM) policies that grant the IAM principal (for example, user, group, or role) permission to perform the restore. Otherwise, unexpected behavior can result. For example, if you remove write permissions for a table while that table is being restored, the underlying `RestoreTableToPointInTime` operation can't write any of the restored data to the table.
You can modify or delete permissions only after the restore operation is complete.
------
#### [ Console ]
**Restore a table to a specified point in time using the console**
1. Sign in to the AWS Management Console, and open the Amazon Keyspaces console at [https://console.aws.amazon.com/keyspaces/home](https://console.aws.amazon.com/keyspaces/home).
1. In the navigation pane on the left side of the console, choose **Tables**.
1. In the list of tables, choose the table you want to restore.
1. On the **Backups** tab of the table, in the **Point-in-time recovery** section, choose **Restore**.
1. For the new table name, enter a new name for the restored table, for example **mytable\$1restored**.
1. To define the point in time for the restore operation, you can choose between two options:
+ Select the preconfigured **Earliest** time.
+ Select **Specify date and time** and enter the date and time you want to restore the new table to.
**Note**
You can restore to any point in time within **Earliest** time and the current time. Amazon Keyspaces restores your table data to the state based on the selected date and time (day:hour:minute:second).
1. Choose **Restore** to start the restore process.
The table that is being restored is shown with the status **Restoring**. After the restore process is finished, the status of the restored table changes to **Active**.
------
#### [ Cassandra Query Language (CQL) ]
**Restore a table to a point in time using CQL**
1. You can restore an active table to a point-in-time between `earliest_restorable_timestamp` and the current time. Current time is the default.
To confirm that point-in-time recovery is enabled for the table, query the `system_schema_mcs.tables` as shown in this example.
```
SELECT custom_properties
FROM system_schema_mcs.tables
WHERE keyspace_name = 'mykeyspace' AND table_name = 'mytable';
```
Point-in-time recovery is enabled as shown in the following sample output.
```
custom_properties
-----------------
{
...,
"point_in_time_recovery": {
"earliest_restorable_timestamp":"2020-06-30T19:19:21.175Z"
"status":"enabled"
}
}
```
1.
+ Restore the table to the current time. When you omit the `WITH restore_timestamp = ...` clause, the current timestamp is used.
```
RESTORE TABLE mykeyspace.mytable_restored
FROM TABLE mykeyspace.mytable;
```
+ You can also restore to a specific point in time, defined by a `restore_timestamp` in ISO 8601 format. You can specify any point in time during the last 35 days. For example, the following command restores the table to the `EarliestRestorableDateTime`.
```
RESTORE TABLE mykeyspace.mytable_restored
FROM TABLE mykeyspace.mytable
WITH restore_timestamp = '2020-06-30T19:19:21.175Z';
```
For a full syntax description, see [RESTORE TABLE](cql.ddl.table.md#cql.ddl.table.restore) in the language reference.
1. To verify that the restore of the table was successful, query the `system_schema_mcs.tables` to confirm the status of the table.
```
SELECT status
FROM system_schema_mcs.tables
WHERE keyspace_name = 'mykeyspace' AND table_name = 'mytable_restored'
```
The query shows the following output.
```
status
------
RESTORING
```
The table that is being restored is shown with the status **Restoring**. After the restore process is finished, the status of the table changes to **Active**.
------
#### [ CLI ]
**Restore a table to a point in time using the AWS CLI**
1. Create a simple table named `myTable` that has PITR enabled. The command has been broken up into separate lines for readability.
```
aws keyspaces create-table --keyspace-name 'myKeyspace' --table-name 'myTable'
--schema-definition 'allColumns=[{name=id,type=int},{name=name,type=text},{name=date,type=timestamp}],partitionKeys=[{name=id}]'
--point-in-time-recovery 'status=ENABLED'
```
1. Confirm the properties of the new table and review the `earliestRestorableTimestamp` for PITR.
```
aws keyspaces get-table --keyspace-name 'myKeyspace' --table-name 'myTable'
```
The output of this command returns the following.
```
{
"keyspaceName": "myKeyspace",
"tableName": "myTable",
"resourceArn": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/myKeyspace/table/myTable",
"creationTimestamp": "2022-06-20T14:34:57.049000-07:00",
"status": "ACTIVE",
"schemaDefinition": {
"allColumns": [
{
"name": "id",
"type": "int"
},
{
"name": "date",
"type": "timestamp"
},
{
"name": "name",
"type": "text"
}
],
"partitionKeys": [
{
"name": "id"
}
],
"clusteringKeys": [],
"staticColumns": []
},
"capacitySpecification": {
"throughputMode": "PAY_PER_REQUEST",
"lastUpdateToPayPerRequestTimestamp": "2022-06-20T14:34:57.049000-07:00"
},
"encryptionSpecification": {
"type": "AWS_OWNED_KMS_KEY"
},
"pointInTimeRecovery": {
"status": "ENABLED",
"earliestRestorableTimestamp": "2022-06-20T14:35:13.693000-07:00"
},
"defaultTimeToLive": 0,
"comment": {
"message": ""
}
}
```
1.
+ To restore a table to a point in time, specify a `restore_timestamp` in ISO 8601 format. You can chose any point in time during the last 35 days in one second intervals. For example, the following command restores the table to the `EarliestRestorableDateTime`.
```
aws keyspaces restore-table --source-keyspace-name 'myKeyspace' --source-table-name 'myTable' --target-keyspace-name 'myKeyspace' --target-table-name 'myTable_restored' --restore-timestamp "2022-06-20 21:35:14.693"
```
The output of this command returns the ARN of the restored table.
```
{
"restoredTableARN": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/myKeyspace/table/myTable_restored"
}
```
+ To restore the table to the current time, you can omit the `restore-timestamp` parameter.
```
aws keyspaces restore-table --source-keyspace-name 'myKeyspace' --source-table-name 'myTable' --target-keyspace-name 'myKeyspace' --target-table-name 'myTable_restored1'"
```
------
# Restore a deleted table using Amazon Keyspaces PITR
The following procedure shows how to restore a deleted table from backup to the time of deletion. You can do this using CQL or the AWS CLI.
**Note**
This procedure assumes that PITR was enabled on the deleted table.
------
#### [ Cassandra Query Language (CQL) ]
**Restore a deleted table using CQL**
1. To confirm that point-in-time recovery is enabled for a deleted table, query the system table. Only tables with point-in-time recovery enabled are shown.
```
SELECT custom_properties
FROM system_schema_mcs.tables_history
WHERE keyspace_name = 'mykeyspace' AND table_name = 'my_table';
```
The query shows the following output.
```
custom_properties
------------------
{
...,
"point_in_time_recovery":{
"restorable_until_time":"2020-08-04T00:48:58.381Z",
"status":"enabled"
}
}
```
1. Restore the table to the time of deletion with the following sample statement.
```
RESTORE TABLE mykeyspace.mytable_restored
FROM TABLE mykeyspace.mytable;
```
------
#### [ CLI ]
**Restore a deleted table using the AWS CLI**
1. Delete a table that you created previously that has PITR enabled. The following command is an example.
```
aws keyspaces delete-table --keyspace-name 'myKeyspace' --table-name 'myTable'
```
1. Restore the deleted table to the time of deletion with the following command.
```
aws keyspaces restore-table --source-keyspace-name 'myKeyspace' --source-table-name 'myTable' --target-keyspace-name 'myKeyspace' --target-table-name 'myTable_restored2'
```
The output of this command returns the ARN of the restored table.
```
{
"restoredTableARN": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/myKeyspace/table/myTable_restored2"
}
```
------