Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused Table

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: DynamoDB-001

Identify any unused Amazon DynamoDB tables available within your AWS cloud account and delete them in order to lower the cost of your AWS bill and reduce the risk of usage by unauthorized personnel. A DynamoDB table is considered unused if the "ItemCount" parameter, which describes the number of items in the table, is equal to 0 (zero).

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation
Sustainability

As an Amazon DynamoDB customer, you are being charged for DynamoDB Read and Write capacity, regardless of whether or not you are using the capacity units provisioned for your tables. Removing unused Amazon DynamoDB tables from your AWS account will help you to avoid unexpected charges on your AWS bill and halt any access to these tables.


Audit

To determine if there are any unused Amazon DynamoDB tables available in your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the DynamoDB table that you want to examine.

05 Select the Overview tab to access the general configuration settings available for the selected table.

06 In the Items summary section, check the Item count parameter value. If the Item count parameter value is set to 0 (zero), the selected Amazon DynamoDB table is not in use anymore and can be safely removed from your AWS cloud account.

07 Repeat steps no. 4 – 6 for each Amazon DynamoDB table available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon DynamoDB table created in the selected AWS cloud region:

aws dynamodb list-tables
  --region us-east-1
  --output table
  --query 'TableNames'

02 The command output should return a table with the requested table name(s):

--------------------------
|       ListTables       |
+------------------------+
|  cc-product-reviews    |
|  cc-product-inventory  |
+------------------------+ 

03 Run describe-table command (OSX/Linux/UNIX) using the name of the DynamoDB table that you want to examine as the identifier parameter and custom query filters to return the number of items currently available within the selected table:

aws dynamodb describe-table
  --region us-east-1
  --table-name cc-product-reviews
  --query 'Table.ItemCount'

04 The command output should the "ItemCount" parameter value available for the selected table:

0

If the describe-table command output returns 0 (zero), as shown in the output example above, the selected Amazon DynamoDB table is considered unused and can be safely removed from your AWS cloud account.

05 Repeat steps no. 3 and 4 for each DynamoDB table available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To remove any unused Amazon DynamoDB tables from your AWS cloud account, perform the following operations:

Using Terraform (AWS Provider)

01 To remove an unused Amazon DynamoDB table, run the following Terraform command, using the Terraform name of the table that you want to delete (e.g. aws-dynamodb-table) as the --target parameter:

terraform destroy --target aws_dynamodb_table.aws-dynamodb-table

02 Type yes and press Enter to confirm the unused table deletion:

│ Warning: Resource targeting is in effect
│ You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.
│ The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
│ 

	Do you really want to destroy all resources?
	Terraform will destroy all your managed infrastructure, as shown above.
	There is no undo. Only 'yes' will be accepted to confirm.

		Enter a value: yes

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Select the Amazon DynamoDB table that you want to remove and choose Delete from the console top menu.

05 Inside the Delete table confirmation box, perform the following actions:

  1. Choose whether you want to delete all the Amazon CloudWatch alarms associated with the selected table.
  2. Select the Create an on-demand backup of [table-name] before deletion checkbox to create a final (on-demand) backup of your table for long-term retention and data archiving.
  3. Type confirm in the required field for confirmation.
  4. Choose Delete to remove the selected Amazon DynamoDB table from your AWS account.

06 Repeat steps no. 4 and 5 for each unused Amazon DynamoDB table that you want to delete, available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.

Using AWS CLI

01 Run delete-table command (OSX/Linux/UNIX) to remove an unused Amazon DynamoDB table from your AWS cloud account. Once the delete-table command request is made, the selected table enters the "DELETING" state until DynamoDB completes the removal process:

aws dynamodb delete-table
  --region us-east-1
  --table-name cc-product-reviews

02 The command output should return the configuration information available for the DynamoDB selected for deletion:

{
	"TableDescription": {
		"TableName": "cc-product-reviews",
		"TableStatus": "DELETING",
		"ProvisionedThroughput": {
			"NumberOfDecreasesToday": 0,
			"ReadCapacityUnits": 5,
			"WriteCapacityUnits": 5
		},
		"TableSizeBytes": 0,
		"ItemCount": 0,
		"TableArn": "arn:aws:dynamodb:us-east-1:123456789012:table/cc-product-reviews",
		"TableId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
		"SSEDescription": {
			"Status": "ENABLED",
			"SSEType": "KMS",
			"KMSMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
		},
		"TableClassSummary": {
			"TableClass": "STANDARD"
		}
	}
}

03 Repeat steps no. 1 and 2 for each unused Amazon DynamoDB table that you want to delete, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References