Detection rules › Panther
AWS DynamoDB Table Autoscaling
DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic
Rule body yaml
AnalysisType: policy
Filename: aws_dynamodb_autoscaling.py
PolicyID: "AWS.DynamoDB.Autoscaling"
DisplayName: "AWS DynamoDB Table Autoscaling"
Enabled: true
ResourceTypes:
- AWS.DynamoDB.Table
Tags:
- AWS
- Availability
Severity: Low
Description: >
DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to
traffic patterns. This enables a table to increase its provisioned read and write capacity
to handle sudden increases in traffic
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-dynamodb-table-has-autoscaling-enabled
Reference: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html
Tests:
- Name: AutoScaling Enabled
ExpectedResult: true
Resource:
{
"AutoScalingDescriptions":
[
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:table:ReadCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table/index/example-index",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:index:ReadCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table/index/example-index",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:index:WriteCapacityUnits",
"ServiceNamespace": "dynamodb",
},
],
"AttributeDefinitions":
[
{ "AttributeName": "attribute_one", "AttributeType": "S" },
{ "AttributeName": "attribute_two", "AttributeType": "S" },
],
"BillingModeSummary":
{
"BillingMode": "PROVISIONED",
"LastUpdateToPayPerRequestDateTime": "2019-01-01T00:00:00Z",
},
"CreationDateTime": "2019-01-01T100:00:00Z",
"GlobalSecondaryIndexes":
[
{
"Backfilling": null,
"IndexArn": "arn:aws:dynamodb:us-west-2:123456789012:table/panther-internal-poller-test-table/index/high_score-index",
"IndexName": "example-index",
"IndexSizeBytes": 0,
"IndexStatus": "ACTIVE",
"ItemCount": 0,
"KeySchema":
[{ "AttributeName": "high_score", "KeyType": "HASH" }],
"Projection":
{ "NonKeyAttributes": null, "ProjectionType": "ALL" },
"ProvisionedThroughput":
{
"LastDecreaseDateTime": "2019-01-01T00:00:00Z",
"LastIncreaseDateTime": "2019-01-01T00:00:00Z",
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5,
},
},
],
"ItemCount": 42,
"KeySchema":
[
{ "AttributeName": "attribute_one", "KeyType": "HASH" },
{ "AttributeName": "attribute_two", "KeyType": "RANGE" },
],
"LatestStreamArn": null,
"LatestStreamLabel": null,
"LocalSecondaryIndexes": null,
"ProvisionedThroughput":
{
"LastDecreaseDateTime": null,
"LastIncreaseDateTime": null,
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 0,
"WriteCapacityUnits": 0,
},
"RestoreSummary": null,
"SSEDescription":
{
"KMSMasterKeyArn": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"SSEType": "KMS",
"Status": "ENABLED",
},
"StreamSpecification": null,
"TableArn": "arn:aws:dynamodb:us-west-2:123456789012:table/example-table",
"TableId": "aaaaaaaa-bbbb-1111-2222-1111222233334444",
"Name": "example-table",
"TableSizeBytes": 20000,
"TableStatus": "ACTIVE",
}
- Name: AutoScaling Never Configured
ExpectedResult: false
Resource:
{
"AutoScalingDescriptions": null,
"AttributeDefinitions":
[
{ "AttributeName": "attribute_one", "AttributeType": "S" },
{ "AttributeName": "attribute_two", "AttributeType": "S" },
],
"BillingModeSummary": null,
"CreationDateTime": "2019-01-01T100:00:00Z",
"GlobalSecondaryIndexes":
[
{
"Backfilling": null,
"IndexArn": "arn:aws:dynamodb:us-west-2:123456789012:table/panther-internal-poller-test-table/index/high_score-index",
"IndexName": "example-index",
"IndexSizeBytes": 0,
"IndexStatus": "ACTIVE",
"ItemCount": 0,
"KeySchema":
[{ "AttributeName": "high_score", "KeyType": "HASH" }],
"Projection":
{ "NonKeyAttributes": null, "ProjectionType": "ALL" },
"ProvisionedThroughput":
{
"LastDecreaseDateTime": "2019-01-01T00:00:00Z",
"LastIncreaseDateTime": "2019-01-01T00:00:00Z",
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5,
},
},
],
"ItemCount": 42,
"KeySchema":
[
{ "AttributeName": "attribute_one", "KeyType": "HASH" },
{ "AttributeName": "attribute_two", "KeyType": "RANGE" },
],
"LatestStreamArn": null,
"LatestStreamLabel": null,
"LocalSecondaryIndexes": null,
"ProvisionedThroughput":
{
"LastDecreaseDateTime": null,
"LastIncreaseDateTime": null,
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 0,
"WriteCapacityUnits": 0,
},
"RestoreSummary": null,
"SSEDescription":
{
"KMSMasterKeyArn": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"SSEType": "KMS",
"Status": "ENABLED",
},
"StreamSpecification": null,
"TableArn": "arn:aws:dynamodb:us-west-2:123456789012:table/example-table",
"TableId": "aaaaaaaa-bbbb-1111-2222-1111222233334444",
"Name": "example-table",
"TableSizeBytes": 20000,
"TableStatus": "ACTIVE",
}
- Name: AutoScaling Not Enabled For Table
ExpectedResult: false
Resource:
{
"AutoScalingDescriptions":
[
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table/index/example-index",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:index:ReadCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table/index/example-index",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:index:WriteCapacityUnits",
"ServiceNamespace": "dynamodb",
},
],
"AttributeDefinitions":
[
{ "AttributeName": "attribute_one", "AttributeType": "S" },
{ "AttributeName": "attribute_two", "AttributeType": "S" },
],
"BillingModeSummary":
{
"BillingMode": "PROVISIONED",
"LastUpdateToPayPerRequestDateTime": "2019-01-01T00:00:00Z",
},
"CreationDateTime": "2019-01-01T100:00:00Z",
"GlobalSecondaryIndexes":
[
{
"Backfilling": null,
"IndexArn": "arn:aws:dynamodb:us-west-2:123456789012:table/panther-internal-poller-test-table/index/high_score-index",
"IndexName": "example-index",
"IndexSizeBytes": 0,
"IndexStatus": "ACTIVE",
"ItemCount": 0,
"KeySchema":
[{ "AttributeName": "high_score", "KeyType": "HASH" }],
"Projection":
{ "NonKeyAttributes": null, "ProjectionType": "ALL" },
"ProvisionedThroughput":
{
"LastDecreaseDateTime": "2019-01-01T00:00:00Z",
"LastIncreaseDateTime": "2019-01-01T00:00:00Z",
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5,
},
},
],
"ItemCount": 42,
"KeySchema":
[
{ "AttributeName": "attribute_one", "KeyType": "HASH" },
{ "AttributeName": "attribute_two", "KeyType": "RANGE" },
],
"LatestStreamArn": null,
"LatestStreamLabel": null,
"LocalSecondaryIndexes": null,
"ProvisionedThroughput":
{
"LastDecreaseDateTime": null,
"LastIncreaseDateTime": null,
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 0,
"WriteCapacityUnits": 0,
},
"RestoreSummary": null,
"SSEDescription":
{
"KMSMasterKeyArn": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"SSEType": "KMS",
"Status": "ENABLED",
},
"StreamSpecification": null,
"TableArn": "arn:aws:dynamodb:us-west-2:123456789012:table/example-table",
"TableId": "aaaaaaaa-bbbb-1111-2222-1111222233334444",
"Name": "example-table",
"TableSizeBytes": 20000,
"TableStatus": "ACTIVE",
}
- Name: Billing Mode Pay Per Request
ExpectedResult: true
Resource:
{
"AutoScalingDescriptions":
[
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:table:ReadCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table/index/example-index",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:index:ReadCapacityUnits",
"ServiceNamespace": "dynamodb",
},
{
"CreationTime": "2019-01-01T00:00:00Z",
"MaxCapacity": 40000,
"MinCapacity": 5,
"ResourceId": "table/example-table/index/example-index",
"RoleARN": "arn:aws:iam::123456789012:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ScalableDimension": "dynamodb:index:WriteCapacityUnits",
"ServiceNamespace": "dynamodb",
},
],
"AttributeDefinitions":
[
{ "AttributeName": "attribute_one", "AttributeType": "S" },
{ "AttributeName": "attribute_two", "AttributeType": "S" },
],
"BillingModeSummary":
{
"BillingMode": "PAY-PER-REQUEST",
"LastUpdateToPayPerRequestDateTime": "2019-01-01T00:00:00Z",
},
"CreationDateTime": "2019-01-01T100:00:00Z",
"GlobalSecondaryIndexes":
[
{
"Backfilling": null,
"IndexArn": "arn:aws:dynamodb:us-west-2:123456789012:table/panther-internal-poller-test-table/index/high_score-index",
"IndexName": "example-index",
"IndexSizeBytes": 0,
"IndexStatus": "ACTIVE",
"ItemCount": 0,
"KeySchema":
[{ "AttributeName": "high_score", "KeyType": "HASH" }],
"Projection":
{ "NonKeyAttributes": null, "ProjectionType": "ALL" },
"ProvisionedThroughput":
{
"LastDecreaseDateTime": "2019-01-01T00:00:00Z",
"LastIncreaseDateTime": "2019-01-01T00:00:00Z",
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5,
},
},
],
"ItemCount": 42,
"KeySchema":
[
{ "AttributeName": "attribute_one", "KeyType": "HASH" },
{ "AttributeName": "attribute_two", "KeyType": "RANGE" },
],
"LatestStreamArn": null,
"LatestStreamLabel": null,
"LocalSecondaryIndexes": null,
"ProvisionedThroughput":
{
"LastDecreaseDateTime": null,
"LastIncreaseDateTime": null,
"NumberOfDecreasesToday": 0,
"ReadCapacityUnits": 0,
"WriteCapacityUnits": 0,
},
"RestoreSummary": null,
"SSEDescription":
{
"KMSMasterKeyArn": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"SSEType": "KMS",
"Status": "ENABLED",
},
"StreamSpecification": null,
"TableArn": "arn:aws:dynamodb:us-west-2:123456789012:table/example-table",
"TableId": "aaaaaaaa-bbbb-1111-2222-1111222233334444",
"Name": "example-table",
"TableSizeBytes": 20000,
"TableStatus": "ACTIVE",
}
Detection logic
Condition
not (not (BillingModeSummary is_null and AutoScalingDescriptions is_null) and AutoScalingDescriptions is_not_null and BillingModeSummary.BillingMode ne "PROVISIONED")
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
AutoScalingDescriptions | is_null | |
BillingModeSummary | is_null | |
BillingModeSummary.BillingMode | ne | PROVISIONED |
AutoScalingDescriptions | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AutoScalingDescriptions | is_null | |
BillingModeSummary | is_null |