Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Instance Storage AutoScaling

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-041

Ensure that the Storage AutoScaling feature is enabled for your Amazon RDS database instances in order to provide dynamic scaling support for the database's storage based on your RDS application needs. Enabling Storage AutoScaling will allow the database instance storage to increase once the configured threshold is exceeded.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

With the Storage AutoScaling feature enabled, when Amazon RDS detects that your database instance is running out of disk space, it automatically scales up your instance storage. For example, you can use this feature for a new mobile application that users are adopting rapidly. In this case, a rapidly increasing workload might exceed the available database storage. To avoid having to manually scale up database storage, enable Amazon RDS Storage AutoScaling.


Audit

To determine if the Storage AutoScaling feature is enabled for your Amazon RDS database instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the RDS database instance that you want to examine. To identify RDS database instances, check the database role available in the Role column (i.e. Instance).

05 Select the Configuration tab and check the Storage autoscaling attribute value. If the Storage autoscaling value is set to Disabled, the Storage AutoScaling feature is not enabled for the selected Amazon RDS database instance.

06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the names of the Amazon RDS MySQL and PostgreSQL database instances available in the selected AWS region:

aws rds describe-db-instances
  --region us-east-1
  --output table
  --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'

02 The command output should return a table with the requested database instance names:

--------------------------------
|     DescribeDBInstances      |
+------------------------------+
|  cc-project5-mysql-database  |
|  cc-prod-postgres-database   |
+------------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the MySQL/PostgreSQL database instance that you want to examine as the identifier parameter and custom query filters to describe the maximum allocated storage threshold configured for the Storage AutoScaling feature, for the selected RDS database instance:

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --query 'DBInstances[*].MaxAllocatedStorage'

04 The command output should return the maximum storage threshold configured:

[]

If the describe-db-instances command output returns null or an empty array (i.e. []), as shown in the output example above, there is no maximum storage threshold configured for the RDS Storage AutoScaling, therefore the feature is not enabled for the selected Amazon RDS database instance.

05 Repeat steps no. 3 and 4 for each Amazon RDS database instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable and configure the Storage AutoScaling feature for your Amazon RDS database instances, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable and Configure RDS Storage AutoScaling",
  "Parameters": {
    "DBInstanceName": {
        "Default": "mysql-database-instance",
        "Description": "RDS database instance name",
        "Type": "String",
        "MinLength": "1",
        "MaxLength": "63",
        "AllowedPattern": "^[0-9a-zA-Z-/]*$",
        "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
    },
    "DBInstanceClass": {
          "Default": "db.t2.micro",
          "Description": "DB instance class/type",
          "Type": "String",
          "ConstraintDescription": "Must provide a valid DB instance type."
    },
    "DBAllocatedStorage": {
        "Default": "20",
        "Description": "The size of the database (GiB)",
        "Type": "Number",
        "MinValue": "20",
        "MaxValue": "65536",
        "ConstraintDescription": "Must be between 20 and 65536 GiB."
    },
    "DBName": {
        "Default": "mysqldb",
        "Description": "Database name",
        "Type": "String",
        "MinLength": "1",
        "MaxLength": "64",
        "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
        "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
    },
    "DBUsername": {
        "Description": "Master username for database access",
        "Type": "String",
        "MinLength": "1",
        "MaxLength": "16",
        "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
        "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
    },
    "DBPassword": {
        "NoEcho": "true",
        "Description": "Password for database access",
        "Type": "String",
        "MinLength": "8",
        "MaxLength": "41",
        "AllowedPattern": "[a-zA-Z0-9]*",
        "ConstraintDescription": "Must contain only alphanumeric characters."
    }
  },
  "Resources": {
    "RDSInstance": {
        "Type": "AWS::RDS::DBInstance",
        "Properties": {
            "DBInstanceIdentifier": {
                "Ref": "DBInstanceName"
            },
            "DBName": {
                "Ref": "DBName"
            },
            "MasterUsername": {
                "Ref": "DBUsername"
            },
            "MasterUserPassword": {
                "Ref": "DBPassword"
            },
            "DBInstanceClass": {
                "Ref": "DBInstanceClass"
            },
            "AllocatedStorage": {
                "Ref": "DBAllocatedStorage"
            },
            "Engine": "MySQL",
            "EngineVersion": "5.7.36",
            "MaxAllocatedStorage": 150
        }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable and Configure RDS Storage AutoScaling
Parameters:
  DBInstanceName:
    Default: mysql-database-instance
    Description: RDS database instance name
    Type: String
    MinLength: '1'
    MaxLength: '63'
    AllowedPattern: ^[0-9a-zA-Z-/]*$
    ConstraintDescription: Must begin with a letter and must not end with a hyphen
      or contain two consecutive hyphens.
  DBInstanceClass:
    Default: db.t2.micro
    Description: DB instance class/type
    Type: String
    ConstraintDescription: Must provide a valid DB instance type.
  DBAllocatedStorage:
    Default: '20'
    Description: The size of the database (GiB)
    Type: Number
    MinValue: '20'
    MaxValue: '65536'
    ConstraintDescription: Must be between 20 and 65536 GiB.
  DBName:
    Default: mysqldb
    Description: Database name
    Type: String
    MinLength: '1'
    MaxLength: '64'
    AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
    ConstraintDescription: Must begin with a letter and contain only alphanumeric
      characters.
  DBUsername:
    Description: Master username for database access
    Type: String
    MinLength: '1'
    MaxLength: '16'
    AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
    ConstraintDescription: Must begin with a letter and contain only alphanumeric
      characters.
  DBPassword:
    NoEcho: 'true'
    Description: Password for database access
    Type: String
    MinLength: '8'
    MaxLength: '41'
    AllowedPattern: '[a-zA-Z0-9]*'
    ConstraintDescription: Must contain only alphanumeric characters.
Resources:
  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref 'DBInstanceName'
      DBName: !Ref 'DBName'
      MasterUsername: !Ref 'DBUsername'
      MasterUserPassword: !Ref 'DBPassword'
      DBInstanceClass: !Ref 'DBInstanceClass'
      AllocatedStorage: !Ref 'DBAllocatedStorage'
      Engine: MySQL
      EngineVersion: 5.7.36
      MaxAllocatedStorage: 150

Using Terraform

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_db_instance" "rds-database-instance" {
  allocated_storage     = 20
  engine                = "mysql"
  engine_version        = "5.7"
  instance_class        = "db.t2.micro"
  name                  = "mysqldb"
  username              = "ccmysqluser01"
  password              = "ccmysqluserpwd"
  parameter_group_name  = "default.mysql5.7"

  # Enable and Configure RDS Storage AutoScaling
  max_allocated_storage = 150

  apply_immediately = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Select the Amazon RDS database instance that you want to reconfigure and choose Modify.

05 On the Modify DB instance: configuration page, perform the following actions:

  1. In the Storage section, under Storage autoscaling, perform the following:
    • Select the Enable storage autoscaling checkbox to enable the Storage AutoScaling feature for the selected MySQL/PostgreSQL database instance. Enabling this feature will allow the instance storage to increase once the specified threshold is exceeded.
    • Provide the maximum storage threshold required by the planned workload of the selected database instance in the Maximum storage threshold box.
  2. Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.
  3. In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:
    • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
    • Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application.
  4. Choose Modify DB instance to apply the configuration changes. Once the Storage AutoScaling feature is enabled, Amazon RDS would start a storage modification for the specified database instance when these factors apply:
    • Free available space is less than 10 percent of the allocated instance storage.
    • The low-storage condition lasts at least 5 minutes.
    • At least 6 hours have passed since the last storage modification.
      The additional storage is in increments of whichever of the following is greater:
      • 5 GiB.
      • 10 percent of currently allocated instance storage.
      • Storage growth prediction based on the "FreeStorageSpace" metrics change in the past hour.

06 Repeat steps no. 4 and 5 for each Amazon RDS database instance available in the selected AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to enable the Storage AutoScaling feature for the selected Amazon RDS database instance (MySQL or PostgreSQL database) by setting the upper limit on storage size, in GiB, using the --max-allocated-storage parameter. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application. If you skip adding the --apply-immediately parameter to the command request, Amazon RDS will apply your changes during the next maintenance window:

aws rds modify-db-instance
  --region us-east-1
  --db-instance-identifier cc-project5-mysql-database
  --max-allocated-storage 150
  --apply-immediately

02 The command output should return the configuration metadata for the modified RDS database instance:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "ccadmin",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-0abcd1234abcd1234"
            },
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-abcdabcd"
            }
        ],
        "InstanceCreateTime": "2021-05-12T08:00:00.677Z",
        "CopyTagsToSnapshot": true,
        "OptionGroupMemberships": [
            {
                "Status": "in-sync",
                "OptionGroupName": "default:mysql-5-7"
            }
        ],
        "PendingModifiedValues": {},
        "Engine": "mysql",
        "MultiAZ": false,
        "MaxAllocatedStorage": 80,
        "DBSecurityGroups": [],
        "DBParameterGroups": [
            {
                "DBParameterGroupName": "default.mysql5.7",
                "ParameterApplyStatus": "in-sync"
            }
        ],
        "PerformanceInsightsEnabled": false,
        "AutoMinorVersionUpgrade": false,
        "PreferredBackupWindow": "06:02-06:32",
        "DBSubnetGroup": {
            "Subnets": [
                {
                    "SubnetStatus": "Active",
                    "SubnetIdentifier": "subnet-abcd1234",
                    "SubnetOutpost": {},
                    "SubnetAvailabilityZone": {
                        "Name": "us-east-1d"
                    }
                },
                {
                    "SubnetStatus": "Active",
                    "SubnetIdentifier": "subnet-1234abcd",
                    "SubnetOutpost": {},
                    "SubnetAvailabilityZone": {
                        "Name": "us-east-1e"
                    }
                },
                {
                    "SubnetStatus": "Active",
                    "SubnetIdentifier": "subnet-abcdabcd",
                    "SubnetOutpost": {},
                    "SubnetAvailabilityZone": {
                        "Name": "us-east-1b"
                    }
                },
                {
                    "SubnetStatus": "Active",
                    "SubnetIdentifier": "subnet-12341234",
                    "SubnetOutpost": {},
                    "SubnetAvailabilityZone": {
                        "Name": "us-east-1a"
                    }
                },
                {
                    "SubnetStatus": "Active",
                    "SubnetIdentifier": "subnet-abcd1234",
                    "SubnetOutpost": {},
                    "SubnetAvailabilityZone": {
                        "Name": "us-east-1f"
                    }
                },
                {
                    "SubnetStatus": "Active",
                    "SubnetIdentifier": "subnet-1234abcd",
                    "SubnetOutpost": {},
                    "SubnetAvailabilityZone": {
                        "Name": "us-east-1c"
                    }
                }
            ],
            "DBSubnetGroupName": "default-vpc-abcdabcd",
            "VpcId": "vpc-abcdabcd",
            "DBSubnetGroupDescription": "Created from the AWS Management Console",
            "SubnetGroupStatus": "Complete"
        },
        "ReadReplicaDBInstanceIdentifiers": [],
        "AllocatedStorage": 50,
        "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database",
        "BackupRetentionPeriod": 0,
        "PreferredMaintenanceWindow": "thu:03:27-thu:03:57",
        "Endpoint": {
            "HostedZoneId": "ABCDABCDABCD",
            "Port": 3306,
            "Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com"
        },
        "DBInstanceStatus": "available",
        "IAMDatabaseAuthenticationEnabled": false,
        "EngineVersion": "5.7.30",
        "DeletionProtection": false,
        "AvailabilityZone": "us-east-1a",
        "DomainMemberships": [],
        "StorageType": "gp2",
        "DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB",
        "CACertificateIdentifier": "rds-ca-2019",
        "StorageEncrypted": false,
        "AssociatedRoles": [],
        "DBInstanceClass": "db.t3.medium",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "cc-project5-mysql-database"
    }
}

03 Repeat steps no. 1 and 2 for each Amazon RDS database instance available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 14, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Instance Storage AutoScaling

Risk Level: Medium