Skip to main content

πŸ“ AWS DynamoDB Provisioned Table Auto Scaling is not configured 🟒

  • Contextual name: πŸ“ Provisioned Table Auto Scaling is not configured 🟒
  • ID: /ce/ca/aws/dynamodb/table-auto-scaling
  • Located in: πŸ“ AWS DynamoDB

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-17b4855f1

Logic​

Description​

Open File

Description​

This policy checks that Amazon DynamoDB tables configured with provisioned throughput mode have Auto Scaling enabled.

Rationale​

DynamoDB Auto Scaling automates the management of throughput capacity for tables. It dynamically adjusts provisioned read and write capacity in response to actual traffic patterns. This helps maintain application performance by preventing request throttling while reducing costs by automatically decreasing capacity for idle workloads.

Impact​

Without Auto Scaling, DynamoDB tables are at risk of being either over-provisioned, leading to unnecessary costs, or under-provisioned, resulting in throttled requests, increased latency, and potential service disruptions.

Audit​

This policy marks an AWS DynamoDB Table as INCOMPLIANT if it is in Provisioned mode but does not have a related AWS App AutoScaling Scalable Target record in the CMDB.

Table configured with On-Demand capacity mode is flagged as INAPPLICABLE.

Remediation​

Open File

Remediation​

From Command Line​

Option 1: Enable Auto Scaling for Provisioned Mode​
Register a Scalable Target​

Use the following command to register a scalable target for the specified read or write capacity of your DynamoDB table:

aws application-autoscaling register-scalable-target \
    --service-namespace dynamodb \
    --resource-id "table/{{dynamodb-table-name}}" \
    --scalable-dimension "{{dynamodb:table:WriteCapacityUnits/ReadCapacityUnits}}" \
    --min-capacity 5 \
    --max-capacity 10
Define a Scaling Policy​

Create a JSON file named {{scaling-policy}}.json that defines the target tracking scaling policy. The policy configuration should include:

  • PredefinedMetricSpecification - Specifies the predefined metric to be tracked. The valid values include:
    • DynamoDBReadCapacityUtilization
    • DynamoDBWriteCapacityUtilization
  • ScaleOutCooldown - Cooldown period (in seconds) to wait after a scale-out event.
  • ScaleInCooldown - Cooldown period (in seconds) to wait after a scale-in event.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.1] DynamoDB tables should automatically scale capacity with demand11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Resource Optimization5
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Workload Efficiency7
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-2(2) Capacity Planning (H)2
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)25
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)15
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations11
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process5
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed5
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-2(2) Contingency Plan _ Capacity Planning2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution65
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability4