Open menu
-->

Enable DynamoDB Auto Scaling

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Performance
efficiency
Cost
optimisation
Reliability
Operational
excellence

Risk level: Medium (should be achieved)

Ensure that Amazon DynamoDB Auto Scaling feature is enabled to dynamically adjust provisioned throughput (read and write) capacity for your tables and global secondary indexes. DynamoDB Auto Scaling makes use of AWS Application Auto Scaling service which implements a target tracking algorithm to adjust the provisioned throughput of the DynamoDB tables/indexes upward or downward in response to actual workload. Once DynamoDB Auto Scaling is enabled, all you have to do is to define the desired target utilization and to provide upper and lower bounds for read and write capacity. Then the feature will monitor throughput consumption using AWS CloudWatch and will adjust provisioned capacity up or down as needed.

Once enabled, DynamoDB Auto Scaling will start monitoring your tables and indexes in order to automatically adjust throughput in response to changes in application workload. This can make it easier to administer your DynamoDB data, help you maximize your application(s) availability and help you reduce your DynamoDB costs.

Audit

To determine if Auto Scaling is enabled for your AWS DynamoDB tables and indexes, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to examine.

05 Select the Capacity tab from the right panel to access the table configuration.

06 Click Scaling activities to show the panel with information about the auto scaling activities. If there is no scaling activity listed and the panel displays the following message: "There are no auto scaling activities for the table or its global secondary indexes.", the Auto Scaling feature is not enabled for the selected AWS DynamoDB table and/or its global secondary indexes

07 Repeat steps no. 4 – 10 to verify the DynamoDB Auto Scaling status for other tables/indexes available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) using custom query filters to list the names of all DynamoDB tables created in the selected AWS region:

aws dynamodb list-tables
	--region us-east-1
	--output table
	--query 'TableNames'

02 The command output should return the requested table names:

-------------------------
|      ListTables       |
+-----------------------+
|  cc-product-inventory |
|  cc-customer-reviews  |
+-----------------------+

03 Run describe-table command (OSX/Linux/UNIX) using custom query filters to list all the global secondary indexes created for the selected DynamoDB table:

aws dynamodb describe-table
	--region us-east-1
	--table-name cc-product-inventory
	--output table
	--query 'Table.GlobalSecondaryIndexes[*].IndexName'

04 The command output should return the requested name(s):

---------------------------
|      DescribeTable      |
+-------------------------+
|  ProductCategory-index  |
+-------------------------+

05 Run describe-scalable-targets command (OSX/Linux/UNIX) using the name of the DynamoDB table and the name of the global secondary index as identifiers, to get information about the scalable target(s) registered for the selected Amazon DynamoDB table and its global secondary index. A scalable target represents a resource that AWS Application Auto Scaling service can scale in or scale out:

aws application-autoscaling describe-scalable-targets
	--region us-east-1
	--service-namespace dynamodb
	--resource-ids "table/cc-product-inventory" "table/cc-product-inventory/ProductCategory-index"

06 The command output should return the metadata available for the registered scalable target(s):

{
    "ScalableTargets": []
}

If describe-scalable-targets command output returns an empty array as the value for the ScalableTargets configuration attribute, as shown in the example above, AWS DynamoDB Auto Scaling is not enabled for the selected table and/or its global secondary index.

07 Repeat step no. 5 and 6 to verify the Auto Scaling feature status for other DynamoDB tables/indexes available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To enable Application Auto Scaling for AWS DynamoDB tables and indexes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to DynamoDB dashboard at https://console.aws.amazon.com/dynamodb/.

03 In the left navigation panel, under Dashboard, click Tables.

04 Select the DynamoDB table that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Capacity tab from the right panel to access the table configuration.

06 Inside Auto Scaling section, perform the following actions:

  1. Check Read capacity and Write capacity checkboxes to display the Application Auto Scaling settings panel.
  2. In Target utilization box, provide the target utilization for the table (percentage).
  3. For Minimum provisioned capacity, type your lower boundary for the auto-scaling range based on your application workload.
  4. For Maximum provisioned capacity, type your upper boundary for the auto-scaling range.
  5. Check Apply same settings to global secondary indexes checkbox. This option allows DynamoDB Auto Scaling to uniformly scale all the global secondary indexes on the base table selected. This includes existing global secondary indexes and any other indexes that you will create for this table in the future.
  6. Inside IAM Role section, select New role: DynamoDBAutoscaleRole option from I authorize DynamoDB to scale capacity using the following role, to use the predefined IAM role made available by AWS DynamoDB.
  7. Click Save to apply the configuration changes and to enable Auto Scaling for the selected DynamoDB table and indexes.

07 Repeat steps no. 4 - 6 to enable and configure Application Auto Scaling for other Amazon DynamoDB tables/indexes available within the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, you need to define the trust relationship policy for the required IAM service role. The AWS IAM service role allows Application Auto Scaling to modify the provisioned throughput settings for your DynamoDB table (and its indexes) as if you were modifying them yourself. To create the trust relationship policy for the role, paste the following information into a new policy document file named autoscale-service-role-trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "application-autoscaling.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the necessary IAM service role using the trust relationship policy defined at the previous step:

aws iam create-role
	--role-name cc-dynamodb-autoscale-role
	--assume-role-policy-document file://autoscale-service-role-trust-policy.json

03 The command output should return the IAM service role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "application-autoscaling.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AAAAABBBBBCCCCCDDDDDD",
        "CreateDate": "2017-11-12T11:24:17.925Z",
        "RoleName": "cc-dynamodb-autoscale-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-dynamodb-autoscale-role"
    }
}

04 Define the access policy for the newly created IAM service role. To create the required policy, paste the following information into a new JSON document named autoscale-service-role-access-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:SetAlarmState",
                "cloudwatch:DeleteAlarms"
            ],
            "Resource": "*"
        }
    ]
}

05 Run create-policy command (OSX/Linux/UNIX) to create the IAM service role policy using the document defined at the previous step, i.e. autoscale-service-role-access-policy.json:

aws iam create-policy
	--region us-east-1
	--policy-name cc-dynamodb-autoscale-policy
	--policy-document file://autoscale-service-role-access-policy.json

06 The command output should return the command request metadata (including the access policy ARN):

{
    "Policy": {
        "PolicyName": "cc-dynamodb-autoscale-policy",
        "CreateDate": "2017-11-12T11:34:32.545Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "AAAABBBBCCCCCDDDDEEEE",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/cc-dynamodb-autoscale-policy",
        "UpdateDate": "2017-11-12T11:34:32.545Z"
    }
}

07 Run attach-role-policy command (OSX/Linux/UNIX) to attach the access policy created at step no. 5, identified by the ARN "arn:aws:iam::123456789012:policy/cc-dynamodb-autoscale-policy", to the IAM service role created at step no. 2, named "cc-dynamodb-autoscale-role" (the command does not produce an output):

aws iam attach-role-policy
	--region us-east-1
	--role-name cc-dynamodb-autoscale-role
	--policy-arn arn:aws:iam::123456789012:policy/cc-dynamodb-autoscale-policy

08 Run register-scalable-target command (OSX/Linux/UNIX) to register a scalable target with the selected DynamoDB table. A scalable target is a resource that AWS Application Auto Scaling can scale out or scale in. The following Application Auto Scaling configuration allows the service to dynamically adjust the provisioned read capacity for "cc-product-inventory" table within the range of 150 to 1200 units. To configure the provisioned write capacity for the table, set --scalable-dimension value to dynamodb:table:WriteCapacityUnits and perform the command request again (the command does not produce an output):

aws application-autoscaling register-scalable-target
	--region us-east-1
	--service-namespace dynamodb
	--resource-id table/cc-product-inventory
	--scalable-dimension dynamodb:table:ReadCapacityUnits
	--min-capacity 150
	--max-capacity 1200
	--role-arn arn:aws:iam::123456789012:role/cc-dynamodb-autoscale-role

09 Execute again register-scalable-target command (OSX/Linux/UNIX) to register a scalable target with the selected DynamoDB table index. The following Application Auto Scaling configuration allows the service to dynamically adjust the provisioned read capacity for "ProductCategory-index" global secondary index within the range of 150 to 1200 capacity units. To configure the provisioned write capacity for the selected index, set --scalable-dimension value to dynamodb:index:WriteCapacityUnits and perform the command request again (the command does not return an output):

aws application-autoscaling register-scalable-target
	--region us-east-1
	--service-namespace dynamodb
	--resource-id table/cc-product-inventory/index/ProductCategory-index
	--scalable-dimension dynamodb:index:ReadCapacityUnits
	--min-capacity 150
	--max-capacity 1200
	--role-arn arn:aws:iam::123456789012:role/cc-dynamodb-autoscale-role

10 Define the policy for the scalable targets created at the previous steps. To create the required scaling policy, paste the following information into a new policy document named autoscaling-policy.json. Replace DynamoDBReadCapacityUtilization with DynamoDBWriteCapacityUtilization based on the scalable dimension used, i.e. DynamoDBReadCapacityUtilization for dynamodb:table:ReadCapacityUnits dimension and DynamoDBWriteCapacityUtilization for dynamodb:table:WriteCapacityUnits:

{
    "PredefinedMetricSpecification": {
        "PredefinedMetricType": "DynamoDBReadCapacityUtilization"
    },
    "ScaleOutCooldown": 60,
    "ScaleInCooldown": 60,
    "TargetValue": 70.0
}

11 Run put-scaling-policy command (OSX/Linux/UNIX) to attach the scaling policy defined at the previous step, to the scalable targets, registered at step no. 8 with the selected DynamoDB table. The put-scaling-policy command request will also enable Application Auto Scaling to create two AWS CloudWatch alarms - one for the upper and one for the lower boundary of the scaling target range. To set up the required policy for provisioned write capacity (table), set --scalable-dimension value to dynamodb:table:WriteCapacityUnits and run the command again:

aws application-autoscaling put-scaling-policy
	--region us-east-1
	--service-namespace dynamodb
	--resource-id table/cc-product-inventory
	--scalable-dimension dynamodb:table:ReadCapacityUnits
	--policy-name cc-autoscaling-policy
	--policy-type TargetTrackingScaling
	--target-tracking-scaling-policy-configuration file://autoscaling-policy.json

12 The command output should return the request metadata, including information regarding the newly created Amazon CloudWatch alarms:

{
    "Alarms": [
        {
            "AlarmName": "TargetTracking-table/cc-product-inventory-ProvisionedCapacityHigh-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
            "AlarmARN": "arn:aws:cloudwatch:us-east-1:123456789012:alarm:TargetTracking-table/cc-product-inventory-ProvisionedCapacityHigh-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee"
        },
        {
            "AlarmName": "TargetTracking-table/cc-product-inventory-ProvisionedCapacityLow-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
            "AlarmARN": "arn:aws:cloudwatch:us-east-1:123456789012:alarm:TargetTracking-table/cc-product-inventory-ProvisionedCapacityLow-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee"
        }
    ],
    "PolicyARN": "arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee:resource/dynamodb/table/cc-product-inventory:policyName/cc-autoscaling-policy"
}

13 Execute again put-scaling-policy command (OSX/Linux/UNIX) to attach the scaling policy defined at step no. 10, to the scalable targets, registered at step no. 9 with the selected DynamoDB table index. The put-scaling-policy command request will also enable Application Auto Scaling to create two AWS CloudWatch alarms - one for the upper and one for the lower boundary of the scaling target range. To set up the required policy for provisioned write capacity (index), set --scalable-dimension value to dynamodb:index:WriteCapacityUnits and run the command again:

aws application-autoscaling put-scaling-policy
	--region us-east-1
	--service-namespace dynamodb
	--resource-id table/cc-product-inventory/index/ProductCategory-index
	--scalable-dimension dynamodb:index:ReadCapacityUnits
	--policy-name cc-autoscaling-policy
	--policy-type TargetTrackingScaling
	--target-tracking-scaling-policy-configuration file://autoscaling-policy.json

14 The command output should return the request metadata, including information about the newly created AWS CloudWatch alarms:

{
    "Alarms": [
        {
            "AlarmName": "TargetTracking-table/cc-product-inventory/index/ProductCategory-index-ProvisionedCapacityHigh-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
            "AlarmARN": "arn:aws:cloudwatch:us-east-1:123456789012:alarm:TargetTracking-table/cc-product-inventory/index/ProductCategory-index-ProvisionedCapacityHigh-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee"
        },
        {
            "AlarmName": "TargetTracking-table/cc-product-inventory/index/ProductCategory-index-ProvisionedCapacityLow-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
            "AlarmARN": "arn:aws:cloudwatch:us-east-1:123456789012:alarm:TargetTracking-table/cc-product-inventory/index/ProductCategory-index-ProvisionedCapacityLow-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee"
        }
    ],
    "PolicyARN": "arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee:resource/dynamodb/table/cc-product-inventory/index/ProductCategory-index:policyName/cc-autoscaling-policy"
}

15 Repeat steps no. 8 – 14 to enable and configure Application Auto Scaling for other Amazon DynamoDB tables/indexes available within the current region.

16 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References