🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1 DynamoDB tables should automatically scale capacity with demand

Description

This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications.

DynamoDB tables in on-demand capacity mode are only limited by the DynamoDB throughput default table quotas. To raise these quotas, you can file a support ticket through AWS Support.

DynamoDB tables in provisioned mode with auto scaling adjust the provisioned throughput capacity dynamically in response to traffic patterns.

Remediation

For detailed instructions on enabling DynamoDB automatic scaling on existing tables in capacity mode, see Enabling DynamoDB auto scaling on existing tables.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_dynamodb_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_dynamodb_1 --share

SQL

This control uses a named query:

with table_with_autocaling as (
  select
    t.resource_id as resource_id,
    count(t.resource_id) as count
  from
    aws_appautoscaling_target as t where service_namespace = 'dynamodb'
    group by t.resource_id
)
select
  d.arn as resource,
  case
    when d.billing_mode = 'PAY_PER_REQUEST' then 'ok'
    when t.resource_id is null then 'alarm'
    when t.count < 2 then 'alarm'
    else 'ok'
  end as status,
  case
    when d.billing_mode = 'PAY_PER_REQUEST' then d.title || ' on-demand mode enabled.'
    when t.resource_id is null then d.title || ' autoscaling not enabled.'
    when t.count < 2 then d.title || ' auto scaling not enabled for both read and write capacity.'
    else d.title || ' autoscaling enabled for both read and write capacity.'
  end as reason
  
  , d.region, d.account_id
from
  aws_dynamodb_table as d
  left join table_with_autocaling as t on concat('table/', d.name) = t.resource_id;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = high_availability
foundational_security_item_id = dynamodb_1
plugin = aws
service = AWS/DynamoDB