Enable DynamoDB Table Auto Scaling Rule
This rule ensures that auto scaling is enabled for DynamoDB tables.
| Rule | DynamoDB table auto scaling should be enabled |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
DynamoDB Table Auto Scaling for NIST 800-53 Revision 4
Overview
DynamoDB is a fully managed NoSQL database service provided by Amazon Web Services (AWS). It offers automatic scalability to handle varying workloads. Enabling auto scaling for DynamoDB tables is a crucial step in meeting the requirements defined by the NIST (National Institute of Standards and Technology) 800-53 Revision 4 security controls.
Auto scaling ensures that the read and write capacity of a DynamoDB table automatically adjusts based on the workload. This helps maintain optimal performance and prevents excessive costs.
Policy Description
To comply with the NIST 800-53 Revision 4 security controls, it is required to have DynamoDB table auto scaling enabled. This policy ensures that the read and write capacity of the table automatically adjusts according to the request utilization and predefined thresholds.
When auto scaling is enabled, DynamoDB automatically adds or removes read and write capacity units in response to the changing workload. This eliminates the need for manual adjustments and ensures that the table can handle peaks and valleys in traffic efficiently.
Enabling auto scaling for DynamoDB tables helps in achieving the following objectives from the NIST 800-53 Revision 4 security controls:
- 1.SA-10: Size and Scalability
- 2.SA-11: Scalable, Flexible, and Adaptable Architectures
Troubleshooting Steps
If there are any issues with enabling or configuring DynamoDB table auto scaling, the following troubleshooting steps can be performed:
- 1.
Verify IAM Permissions: Ensure that the IAM user or role has the necessary permissions to enable auto scaling on the DynamoDB table. The user or role should have the
permission.dynamodb:UpdateTable - 2.
Check DynamoDB Table Status: Ensure that the DynamoDB table is in the
status. Auto scaling cannot be enabled or modified on a table that is not active.ACTIVE - 3.
Review Auto Scaling Policy: Double-check the auto scaling policy to verify if it follows the recommended guidelines. Make sure the thresholds are configured properly and align with the expected workload.
- 4.
Check CloudWatch Alarms: Inspect the associated CloudWatch alarms to ensure they are properly configured. Check if the alarm actions and conditions are defined correctly, ensuring that they trigger the necessary auto scaling actions.
- 5.
Review Billing and Capacity Unit Limits: Confirm that the account has sufficient provisioned capacity units available based on the workload requirements. Insufficient capacity units may prevent auto scaling from functioning correctly.
Necessary Codes (AWS CLI)
The following AWS CLI command can be used to enable auto scaling for a DynamoDB table:
aws dynamodb update-table --table-name <table-name> --billing-mode PAY_PER_REQUEST --provisioned-throughput ReadCapacityUnits=<read-capacity>,WriteCapacityUnits=<write-capacity> --auto-scaling-settings 'ServiceRoleArn=<service-role-arn>,TargetTrackingScalingPolicyConfiguration={PredefinedMetricSpecification={PredefinedMetricType=<metric-type>},ScaleInCooldown=<scale-in-cooldown>,ScaleOutCooldown=<scale-out-cooldown>,TargetValue=<target-value>}'
Replace the placeholders:
: the name of the DynamoDB table.<table-name>
: the initial read capacity units for the table.<read-capacity>
: the initial write capacity units for the table.<write-capacity>
: the ARN of the IAM role associated with the auto scaling policy.<service-role-arn>
: the predefined metric type to use for scaling (e.g.,<metric-type>
orDynamoDBReadCapacityUtilization
).DynamoDBWriteCapacityUtilization
: the cooldown period after a scale-in activity (in seconds).<scale-in-cooldown>
: the cooldown period after a scale-out activity (in seconds).<scale-out-cooldown>
: the target value for the predefined metric.<target-value>
Step-by-Step Guide for Remediation
- 1.
Verify IAM Permissions
- Ensure the IAM user or role used has the
permission.dynamodb:UpdateTable - If needed, update the IAM policy associated with the user or role to include the required permission.
- 2.
Check DynamoDB Table Status
- Verify that the DynamoDB table is in the
status.ACTIVE - If the table is not active, wait until it becomes active before proceeding.
- 3.
Review Auto Scaling Policy
- Ensure the auto scaling policy for the table adheres to the recommended guidelines.
- Review the threshold configurations to align with the expected workload.
- Adjust the policy if necessary.
- 4.
Check CloudWatch Alarms
- Validate the associated CloudWatch alarms for the DynamoDB table.
- Verify if the alarm actions and conditions are defined correctly.
- Modify the alarms if required.
- 5.
Review Billing and Capacity Unit Limits
- Confirm that the AWS account has sufficient provisioned capacity units based on the workload requirements.
- Adjust the provisioned capacity units if they are insufficient.
- 6.
Enable Auto Scaling for DynamoDB Table
- Execute the AWS CLI command provided, replacing the necessary placeholders with actual values.
- This command will enable auto scaling for the DynamoDB table with the specified configurations.
By following these steps, you can enable auto scaling for a DynamoDB table and satisfy the NIST 800-53 Revision 4 requirements.