Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Overutilized AWS RDS Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-038

Identify any Amazon RDS database instances that appear to be overutilized and upgrade (upsize) them to help handle better the database workload and improve the response time. By default, an RDS database instance is considered "overutilized" when meets the following criteria:

The daily average CPU utilization has been more than 90% for the last 7 days.

- The AWS CloudWatch metrics utilized to detect overused RDS instances are:

CPUUtilization - the percentage of CPU utilization (Units: Percent).


Note: You can change the default threshold values for this rule on the Cloud Conformity console and set your own values for CPU utilization to configure the overuse level for your RDS instances.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency

Overutilized AWS RDS instances could indicate that the databases running on these servers do not have enough hardware resources to perform optimally. Upgrading (upsizing) overutilized RDS instances to meet the load needs will improve directly the health and success of your databases (and their applications).

Audit

To identify any overutilized RDS instances that could benefit from a more efficient hardware configuration, perform the following:

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard section, choose Databases.

04 Select the RDS database instance that you want to examine.

05 Click on Monitoring tab from the Dashboard top menu.

06 On the monitoring panel displayed for the selected instance, click on the CPU Utilization (Percent) usage graph thumbnail to open the RDS instance CPU usage Metrics details box. Inside the CPU Utilization (Percent) dialog box, set the following parameters:

  1. From the Statistic dropdown list, select Average.
  2. From the Time Range list, select Last 1 Week.
  3. From the Period dropdown list, select 1 Day.

Once the monitoring data is loaded, verify the instance CPU usage for the last 7 days. If the average usage (percent) has been above 90%, e.g.

If the average usage (percent) has been above 90%

the selected RDS database instance is considered "overutilized" and should be upgraded to a better hardware configuration in order to meet the workload needs. Click X (close) to return to the RDS dashboard.

07 Repeat steps no. 4 – 6 to verify the CPU usage data recorded within the selected time frame (7 days) for the rest of the RDS database instances provisioned within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the RDS database instances available in the selected region: 

aws rds describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested IDs: 

-------------------------
|  DescribeDBInstances  |
+-----------------------+
|  cc-mysql-prod-db     |
|  cc-postgres-db-1.4   |
|  cc-aurora-prod-db    |
+-----------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the CPUUtilization metric representing the CPU usage of the selected RDS instance. The following command example returns the average CPU utilization for an RDS database instance identified by the ID "cc-mysql-prod-db", usage data captured during a 7-day time frame, using 1 day time range as the granularity of the returned datapoints: 

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name CPUUtilization
	--start-time 2017-04-21T18:55:02
	--end-time 2017-04-28T18:55:02
	--period 86400
	--namespace AWS/RDS
	--statistics Average
	--dimensions Name=DBInstanceIdentifier,Value=cc-mysql-prod-db

04 The command output should return the CPU usage details requested: 

{
    "Datapoints": [
        {
            "Timestamp": "2017-04-21T18:55:02Z",
            "Average": 104.2085,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-22T18:55:02Z",
            "Average": 107.0334,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-23T18:55:02Z",
            "Average": 101.1425,
            "Unit": "Percent"
        },

        ...

        {
            "Timestamp": "2017-04-27T18:55:02Z",
            "Average": 106.92833333333333333,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-28T18:55:02Z",
            "Average": 109.5278,
            "Unit": "Percent"
        }
    ],
    "Label": "CPUUtilization"
}

If the average CPU usage data returned is more than 90%, the selected AWS RDS database instance is considered "overutilized" and should be upgraded in order to efficiently handle the workload.

05 Repeat step no. 3 and 4 to verify the CPU usage data recorded within the selected time frame for the rest of the RDS instances provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

Upgrade (resize) the overused RDS database instances provisioned within your AWS account. To resize an overutilized AWS RDS instance, perform the following commands:

(!) Important note: the following process assumes that the RDS database instances selected for upgrade are NOT currently used for critical operations. To resize production instances without any downtime, you should create a full snapshot of your current instance and use it to launch a new database instance with the required instance type.

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard section, choose Databases.

04 Select the overused RDS database instance that you want to resize (see Audit section part I to identify the right resource).

05 Click the Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance identifier> page, under Instance Specifications section, select the database instance type to upgrade to (e.g. db.m4.xlarge) from the DB Instance Class dropdown list (see RDS Instance Types page available at this URL to help you choose the right database instance type).

07 At the bottom of the page, check Apply Immediately to apply the instance type (class) change immediately.

08 Click Continue to access the database instance review page.

09 Review the type/class changes then click Modify DB Instance. During the resize process the instance status should change from available to modifying and back to available (it may take few minutes depending on the database instance configuration). Once the resize process is complete, the RDS instance type should be updated on the details panel.

10 Repeat steps no. 4 - 9 to upgrade (upsize) other overutilized RDS database instances provisioned within the current region.

11 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to resize the selected RDS database instance to the desired type/class. The following command example make use of --apply-immediately parameter to apply the type change asynchronously and trigger an immediate outage. To avoid any downtime, you can skip adding the --apply-immediately parameter to the command request and AWS RDS service will apply the change during the next maintenance window: 

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-mysql-prod-db
	--db-instance-class db.m4.xlarge
	--apply-immediately

02 The command output should return the new configuration metadata for the specified RDS database: 

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "mysqldb_usr",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        "DbiResourceId": "db-D6UMHA3BZF4IPX72DN7ZDEYMY0",

        ...

        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m4.xlarge",
        "DbInstancePort": 3306,
        "DBInstanceIdentifier": "cc-mysql-prod-db"
    }
}

03 Repeat step no. 1 and 2 to upgrade other overused RDS instances available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date May 2, 2017

Related RDS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Overutilized AWS RDS Instances

Risk Level: High