Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Aurora Serverless AutoPause

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that AutoPause feature is enabled and configured for your AWS Aurora Serverless database clusters in order to reduce service costs. Aurora Serverless AutoPause can be configured to pause compute capacity after consecutive minutes of inactivity (between 5 and 1440 minutes). The feature is extremely useful for use cases that include infrequent access, such as development or staging application databases.

Cost
optimisation

With AutoPause feature, you can specify the amount of time with no Aurora database traffic to scale to zero processing capacity. When the Amazon Aurora database cluster is paused, no compute or memory activity occurs, and you are being charged only for database storage.

Audit

To determine if AutoPause is enabled for Aurora Serverless clusters available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Select the Aurora Serverless database cluster that you want to examine. To identify Aurora Serverless clusters, check the value available in the Type column (i.e. Serverless).

05 Click on the Actions dropdown menu from the dashboard top menu and choose Modify cluster.

06 Within Capacity settings section, expand the Additional scaling configuration panel and verify the Pause compute capacity after consecutive minutes of inactivity setting checkbox. If the checkbox is unchecked, the AutoPause feature is not enabled for the selected Amazon Aurora Serverless database cluster.

07 Repeat steps no. 4 – 6 to verify the AutoPause feature status for other Amazon Aurora Serverless clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all Aurora Serverless clusters available in the selected AWS region: 

aws rds describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[?Engine==`aurora` && EngineMode==`serverless`].DBClusterIdentifier | []'

02 The command output should return a table with the requested resource names: 

--------------------------
|   DescribeDBClusters   |
+------------------------+
|  cc-app-dev-cluster    |
|  cc-serverless-cluster |
+------------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the database cluster that you want to examine as identifier parameter and custom query filters to get the AutoPause feature status for the selected Amazon Aurora cluster: 

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-app-dev-cluster
	--query 'DBClusters[*].ScalingConfigurationInfo. AutoPause'

04 The command output should return the feature status (true for enabled, false for disabled): 

[
	false
]

If describe-db-clusters command output returns false, as shown in the output example above, the AutoPause feature is not enabled for the selected Amazon Aurora Serverless database cluster.

05 Repeat step no. 3 and 4 to determine the AutoPause status for other Aurora Serverless clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable and configure AutoPause feature in order to pause your Aurora Serverless database clusters after a given amount of time with no activity, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Select the serverless database cluster that you want to reconfigure (see Audit section part I to identify the right Aurora resource).

05 Click on the Actions dropdown menu from the dashboard top menu and choose Modify cluster.

06 Within Capacity settings section, perform the following:

  1. Expand the Additional scaling configuration panel.
  2. Select Pause compute capacity after consecutive minutes of inactivity checkbox to enable AutoPause feature.
  3. Use the hours, minutes and seconds dropdown menus to configure the length of inactivity time until the selected cluster pauses. This can be set to any where between 5 minutes and 24 hours. If the inactivity time frame is not configured, by default, your cluster will pause after 5 consecutive minutes of inactivity.

07 Click Continue to continue the update process.

08 Within Summary of modifications section, review the configuration changes that you want to apply to your database cluster, then click Modify DB Cluster to finish the process. The changes are applied immediately.

09 Repeat steps no. 4 – 8 to enable and configure AutoPause for other Amazon Aurora Serverless clusters available in the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable AutoPause feature for the selected Amazon Aurora Serverless database cluster (see Audit section part II to identify the right resource) by adding the --scaling-configuration parameter with the appropriate settings to the command request. The following database scaling configuration example uses 2 minimum capacity units, 12 maximum capacity units and 15 minutes for the length of inactivity time until the cluster is paused: 

aws rds modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-app-dev-cluster
	--scaling-configuration MinCapacity=2,MaxCapacity=12,AutoPause=true,SecondsUntilAutoPause=900

02 The command output should return the configuration metadata for the modified serverless cluster: 

{
    "DBCluster": {
        "EngineMode": "serverless",
        "Status": "available",
        "MultiAZ": false,
        "PreferredBackupWindow": "05:07-05:37",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 5,
        "Engine": "aurora",
        "IAMDatabaseAuthenticationEnabled": false,
        "EngineVersion": "5.6.10a",
 
        ...
 
        "DeletionProtection": true,
        "DBClusterIdentifier": "cc-app-dev-cluster",
        "DbClusterResourceId": "cluster-AAAABBBBCCCCDDDDAAAABBBBCD",
        "DBClusterMembers": [],
        "StorageEncrypted": true,
        "DBClusterParameterGroup": "default.aurora5.6",
        "AvailabilityZones": [
            "us-east-1a",
            "us-east-1c",
            "us-east-1d"
        ],
        "Port": 3306
    }
}

03 Repeat step no. 1 and 2 to enable and configure AutoPause feature for other Amazon Aurora Serverless clusters available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Apr 15, 2019

Related RDS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Aurora Serverless AutoPause

Risk Level: Medium