[DynamoDB.1]
DynamoDB tables should automatically scale capacity with demand
Description
A DynamoDB table should be able to scale its read and write capacity as required. Auto scaling capacity makes sure your applications do not run into throttling exceptions and is always available. This rule is COMPLIANT if a DynamoDB table has either on-demand capacity or provisioned mode with autoscaling enabled.
Details
| Property | Value |
|---|---|
| Category | Recover > Resilience > High availability |
| Compliance Control ID | DynamoDB.1 |
| FortifyFox ID | FF100056 |
| Link | DynamoDB.1 Compliance |
| Resource Type(s) | AWS::DynamoDB::Table |
| Severity | Medium |
Remediation
Use the following CloudFormation templates to adjust the scaling policy of your DynamoDB and make it compliant with DynamoDB.1
YAML Template
Resources:
writeScaleTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
ResourceId: table/TABLE_NAME
RoleARN: !GetAtt SCALING_ARN
ScalableDimension: dynamodb:table:WriteCapacityUnits
readScaleTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
ResourceId: table/TABLE_NAME
RoleARN: !GetAtt SCALING_ARN
ScalableDimension: dynamodb:table:ReadCapacityUnits
writeScalePolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: TableWriteScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref writeScaleTarget
readScalePolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: TableReadScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref readScaleTarget
JSON Template
{
"Resources": {
"writeScaleTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"ResourceId": "table/TABLE_NAME",
"RoleARN": "SCALING_ARN",
"ScalableDimension": "dynamodb:table:WriteCapacityUnits"
}
},
"readScaleTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"ResourceId": "table/TABLE_NAME",
"RoleARN": "SCALING_ARN",
"ScalableDimension": "dynamodb:table:ReadCapacityUnits"
}
},
"writeScalePolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "TableWriteScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "writeScaleTarget"
}
}
},
"readScalePolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "TableReadScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "readScaleTarget"
}
}
}
}
}
You will need to replace TABLE_NAME with the name of your DynamoDB table and SCALING_ARN with the ARN of your Scaling Role.
📓 Notes
- You must have created a valid DynamoDB table
- You must have created an IAM Scaling Role the includes the policy application-autoscaling.amazonaws.com to allow auto scaling.
- You must have created a Scaling Policy for the role which allows the following actions:
- application-autoscaling:*
- dynamodb:DescribeTable
- dynamodb:UpdateTable
- cloudwatch:PutMetricAlarm
- cloudwatch:DescribeAlarms
- cloudwatch:GetMetricStatistics
- cloudwatch:SetAlarmState
- cloudwatch:DeleteAlarm