Compliance

Make DynamoDB tables scale capacity with demand

Security Hub DynamoDB.1 — a fixed-provisioned table either throttles your app or burns money on idle capacity; on-demand or auto scaling fixes both.

11 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: DynamoDB.1

DynamoDB.1: the basics

Why a fixed-capacity table is a liability in both directions

DynamoDB bills throughput two ways. In provisioned mode you pre-buy read capacity units (RCUs) and write capacity units (WCUs) by the hour — you pay for what you reserve whether traffic arrives or not, and requests above your ceiling get throttled with a ProvisionedThroughputExceededException. In on-demand mode (also called pay-per-request) you pay per actual request and the table absorbs spikes automatically. The DynamoDB.1 control checks that a table can scale with demand at all.

The control fails when a table is in provisioned mode with no auto scaling configured — a static RCU/WCU setting that someone picked once and never revisited. It passes if the table is in on-demand mode, or in provisioned mode with Application Auto Scaling attached to its read and write capacity. By default the control only checks that one of those is true; optionally you can set parameters like minProvisionedReadCapacity and targetReadUtilization to require specific floors and utilization targets.

It's flagged because a fixed ceiling is wrong almost all the time. Set it too low and a traffic spike throttles real users; set it too high to be safe and you pay for headroom that sits idle 95% of the day. Security Hub files this under resilience and high availability — the failure mode it cares about is the throttling that takes your app down — but the cost angle is just as real, which is why it lands on the FinOps radar.

In this lesson you'll learn the difference between DynamoDB's provisioned and on-demand capacity modes, why a static provisioned table is both a throttling risk and a cost trap, and how DynamoDB.1 decides pass or fail. You'll see how to switch a table to on-demand, how to attach Application Auto Scaling to a provisioned table's read and write capacity, and how to choose between the two based on traffic shape. You'll also see the CLI to audit your tables, the gotchas (global secondary indexes scale separately, switch frequency limits), and how to keep new tables compliant by default.

Fun fact

The table provisioned for a launch that never came back

An e-commerce team provisioned a DynamoDB table at 4,000 WCUs and 8,000 RCUs ahead of a Black Friday launch — sized for the single busiest hour of the year. The launch went fine. Eleven months later a FinOps audit found the table still pinned at those numbers, running at under 3% average utilization, quietly billing around $1,900 a month in reserved throughput it never used. Switching it to provisioned-with-auto-scaling (the workload was steady enough that on-demand would have cost slightly more) dropped it to roughly $140 a month and, as a bonus, cleared a Security Hub DynamoDB.1 finding nobody had connected to the cost.

Fixing a DynamoDB.1 finding in action

Dana, an SRE, sees Security Hub flag DynamoDB.1 on a table called sessions-prod. It's in provisioned mode at 2,000 RCUs / 2,000 WCUs with no auto scaling. CloudWatch shows consumed capacity hovering around 120 WCUs most of the day, spiking to maybe 900 at the evening peak — so the table is paying for roughly 10x its typical load and 2x even its peak.

She checks the traffic shape first. It's spiky and front-loaded toward evening, with long quiet stretches overnight — a textbook on-demand candidate. She confirms there are no global secondary indexes that would need separate handling, then switches the table's billing mode to pay-per-request. No capacity numbers to manage, the table absorbs the evening peak on its own, and the DynamoDB.1 finding clears on the next Security Hub evaluation.

For a second table, events-archive, the picture is different: a steady, high write rate around the clock from an ingestion pipeline. There on-demand would cost more, so Dana keeps it provisioned but attaches Application Auto Scaling to both read and write capacity with a 70% utilization target and sensible min/max bounds. Both tables now pass DynamoDB.1, and both bills now track demand instead of a static guess.

First, list every table's billing mode and provisioned throughput so you can spot the static-provisioned ones DynamoDB.1 will fail.

$ aws dynamodb describe-table --table-name sessions-prod --query 'Table.{Name:TableName,Billing:BillingModeSummary.BillingMode,RCU:ProvisionedThroughput.ReadCapacityUnits,WCU:ProvisionedThroughput.WriteCapacityUnits}' --output table

-------------------------------------------------------

| DescribeTable |

+--------------+----------------+--------+------------+

| Billing | Name | RCU | WCU |

+--------------+----------------+--------+------------+

| PROVISIONED | sessions-prod | 2000 | 2000 |

+--------------+----------------+--------+------------+

# PROVISIONED with no auto scaling target attached = DynamoDB.1 fail.

# Cross-check consumed capacity in CloudWatch before deciding the mode.

A static PROVISIONED table with no scaling policy is exactly what DynamoDB.1 flags.

For a spiky, unpredictable table, the simplest compliant fix is to switch it to on-demand (pay-per-request) capacity mode.

$ aws dynamodb update-table --table-name sessions-prod --billing-mode PAY_PER_REQUEST

{

"TableDescription": {

"TableName": "sessions-prod",

"TableStatus": "UPDATING",

"BillingModeSummary": {

"BillingMode": "PAY_PER_REQUEST"

}

# On-demand: no RCU/WCU to manage, absorbs peaks automatically, DynamoDB.1 passes.

PAY_PER_REQUEST removes the static ceiling entirely — best for spiky or unpredictable traffic.

DynamoDB capacity modes under the hooddeep dive

In provisioned mode you set ReadCapacityUnits and WriteCapacityUnits per table (and per global secondary index — GSIs have their own throughput, which is a common blind spot). One RCU is one strongly-consistent read up to 4 KB per second; one WCU is one write up to 1 KB per second. DynamoDB gives you a small burst credit bucket for brief overages, but sustained traffic above your provisioned ceiling throttles with ProvisionedThroughputExceededException. You pay for the provisioned units by the hour regardless of consumption.

DynamoDB.1 passes if the table is in PAY_PER_REQUEST mode, or in PROVISIONED mode with an Application Auto Scaling scalable target registered against dynamodb:table:ReadCapacityUnits and dynamodb:table:WriteCapacityUnits and a target-tracking policy attached. Auto scaling uses CloudWatch alarms on consumed-vs-provisioned utilization to call UpdateTable and adjust capacity toward your target (commonly 70%), within the min and max bounds you set. The control's optional parameters (minProvisionedReadCapacity, targetReadUtilization, and the write equivalents) let you assert specific floors and targets rather than just "some scaling exists."

Two operational limits matter. Switching between provisioned and on-demand is restricted — once you move a table to on-demand you must wait 24 hours before switching it back. And GSIs scale independently: a table can pass DynamoDB.1 on its base capacity while a GSI still throttles, so auto scaling policies (or on-demand mode, which covers indexes automatically) need to cover the indexes too.

# Keep a busy, steady table on PROVISIONED but make it scale: register the
# scalable target, then attach a target-tracking policy at 70% utilization.
aws application-autoscaling register-scalable-target \
  --service-namespace dynamodb \
  --resource-id "table/events-archive" \
  --scalable-dimension "dynamodb:table:WriteCapacityUnits" \
  --min-capacity 50 \
  --max-capacity 4000

aws application-autoscaling put-scaling-policy \
  --service-namespace dynamodb \
  --resource-id "table/events-archive" \
  --scalable-dimension "dynamodb:table:WriteCapacityUnits" \
  --policy-name "events-archive-write-target" \
  --policy-type TargetTrackingScaling \
  --target-tracking-scaling-policy-configuration \
    '{"TargetValue":70.0,"PredefinedMetricSpecification":{"PredefinedMetricType":"DynamoDBWriteCapacityUtilization"}}'

# Repeat both calls with ReadCapacityUnits / DynamoDBReadCapacityUtilization,
# and again for any global secondary index resource-id (.../index/<name>).

What is the impact of a non-scaling DynamoDB table?

The direct cost is reserved throughput you don't use. A table provisioned at 2,000 RCUs and 2,000 WCUs costs roughly $1,000+ a month in capacity alone, billed flat around the clock. If real utilization sits at 5%, you're paying twenty times over for the privilege of a ceiling nobody revisits. Across a fleet of tables each sized for its own worst case, the overprovisioning compounds into thousands of dollars a month of pure headroom.

The second-order cost is the throttling the control actually exists to prevent. When a static ceiling is set too low — or traffic grows past it over time — DynamoDB rejects requests with ProvisionedThroughputExceededException. That surfaces as failed writes, retry storms, elevated latency, and in the worst case a user-visible outage. The irony is that teams overprovision precisely to avoid this, which is how you end up paying peak rates around the clock and still getting throttled when an unanticipated spike exceeds the guess.

There's a real nuance on the cost side: on-demand is not universally cheaper. On-demand pricing per request is set so that a table running flat-out near 100% utilization all day costs more than the same throughput bought as provisioned-with-auto-scaling. The win from on-demand comes from spiky, bursty, or unpredictable workloads where you'd otherwise have to provision for a peak you rarely hit. Choosing the wrong mode for the traffic shape can raise the bill while still passing the control — so the compliance pass and the cost optimization are related but not identical.

Finally, this is a resilience and availability finding in Security Hub's taxonomy (it maps to NIST recovery and high-availability controls), so a failing DynamoDB.1 weighs on your security and compliance posture scores, not just your cost reports. Clearing it improves two scorecards at once — the cost dashboard and the compliance dashboard — which is part of why it's worth prioritizing.

How do you make DynamoDB tables scale with demand?

The fix is a short decision-then-configure loop: inventory the static-provisioned tables, read each one's traffic shape, pick on-demand or provisioned-with-auto-scaling accordingly, and make the compliant choice the default for new tables.

1. Inventory tables and read their real utilization

List every table's billing mode with describe-table, then pull ConsumedReadCapacityUnits and ConsumedWriteCapacityUnits from CloudWatch over a representative window (at least two weeks to capture weekly cycles). For each provisioned table compare consumed-vs-provisioned and note the traffic shape: steady, spiky, or bursty. Don't forget global secondary indexes — they carry their own throughput and their own utilization.

2. Match the mode to the traffic shape

Spiky, unpredictable, or low-average-utilization tables go to on-demand (PAY_PER_REQUEST) — it removes the ceiling, absorbs peaks, and covers indexes automatically. Steady, high-volume tables running near capacity all day stay provisioned but get Application Auto Scaling, which is usually cheaper than on-demand at sustained high utilization. The wrong choice can still pass DynamoDB.1 while raising the bill, so let the data decide rather than defaulting everything to on-demand.

3. For provisioned tables, attach target-tracking auto scaling

Register a scalable target against both dynamodb:table:ReadCapacityUnits and dynamodb:table:WriteCapacityUnits (and each GSI), set sensible min and max bounds, and attach a target-tracking policy — 70% utilization is a common starting point. Auto scaling then drives UpdateTable up and down within your bounds as traffic moves. This is what flips a provisioned table from a DynamoDB.1 failure to a pass without giving up provisioned pricing.

4. Make the compliant choice the default for new tables

Set the organization default to on-demand for new tables unless a workload is demonstrably steady and high-volume. Enforce it in infrastructure-as-code modules and with an AWS Config rule (dynamodb-autoscaling-enabled, the same rule behind the control) so a static-provisioned table is caught at creation rather than at the next audit. Remember the 24-hour cooldown when switching a table back from on-demand, so plan mode changes deliberately rather than toggling them.

# Decide the mode from real data, then apply it.
TABLE=sessions-prod

# 1. Pull average consumed write capacity over the last 14 days.
aws cloudwatch get-metric-statistics \
  --namespace AWS/DynamoDB \
  --metric-name ConsumedWriteCapacityUnits \
  --dimensions Name=TableName,Value=$TABLE \
  --start-time "$(date -u -d '14 days ago' +%FT%TZ)" \
  --end-time "$(date -u +%FT%TZ)" \
  --period 3600 --statistics Average Maximum

# 2a. Spiky / low-utilization table -> on-demand.
aws dynamodb update-table --table-name $TABLE --billing-mode PAY_PER_REQUEST

# 2b. OR steady high-volume table -> keep provisioned, add auto scaling
#     (see the register-scalable-target / put-scaling-policy calls earlier).

Quick quiz

Question 1 of 5

A DynamoDB.1 finding flags a table provisioned at 2,000 RCUs / 2,000 WCUs. CloudWatch shows it running at under 5% utilization most of the day with sharp, unpredictable evening spikes. What's the best fix?

Keep learning

Dig deeper into DynamoDB capacity modes, auto scaling, and the control behind this finding.

You've completed Make DynamoDB tables scale capacity with demand. You now know why a static-provisioned table is both a throttling risk and a cost trap, how DynamoDB.1 decides pass or fail, and the decision loop — read the traffic shape, then pick on-demand or provisioned-with-auto-scaling — that clears the finding while actually optimizing spend. Next time DynamoDB.1 fires, you'll know it's not a blanket "switch to on-demand" but a per-table judgement the data answers for you.

Back to the library

DynamoDB.1: what it means for the bill

Paying for reserved database throughput that traffic never uses

DynamoDB is AWS's managed key-value database. You can pay for it in two ways. The older way is to reserve a fixed amount of throughput by the hour — you pick a number, you pay for that number around the clock whether the application is busy or idle. The newer way, on-demand, charges per actual request, so the bill tracks real usage and the database absorbs busy periods on its own.

This finding flags tables stuck on the fixed-reservation model with no automatic adjustment. In practice teams set the reserved number high enough to survive their busiest minute, then leave it there forever. The result is a table provisioned for peak load that runs at a fraction of that most of the day — you're paying the peak rate twenty-four hours a day for traffic that only peaks for an hour.

The fix moves the table either to on-demand pricing or to provisioned-with-auto-scaling, where the reserved number rises and falls with traffic. Either way the bill starts tracking usage instead of a worst-case guess. There's a nuance worth knowing for the budget conversation: on-demand is dramatically cheaper for spiky or unpredictable workloads, but for a steady high-volume table that runs flat-out all day, provisioned-with-auto-scaling can actually be cheaper. The right answer depends on the traffic shape, which is exactly the question to put to engineering.

This lesson is for the finance partner who sees a flat DynamoDB line on the bill and wants to know whether it reflects real usage or a worst-case reservation nobody revisits. It explains the two pricing models in plain terms, when each one is actually cheaper, why "just move everything to on-demand" is sometimes the wrong call for a high-traffic table, and the one or two questions to put to engineering at the cost review. No commands — just enough to know what number to ask for and how to read the answer.

Fun fact

The table provisioned for a launch that never came back

How a finance partner frames the choice

Priya is the finance partner for the platform team. At the monthly review she sees DynamoDB spend is flat at about $4,200 a month, and Security Hub is flagging several tables under DynamoDB.1. She asks the question that matters: "For each of these tables, is the reserved capacity tracking actual traffic, or are we paying for a peak we rarely hit?"

The engineering lead pulls up utilization. Two tables are running under 5% of their reserved throughput — clear overprovisioning. One table is genuinely busy around the clock. Priya doesn't prescribe the fix; she asks for the traffic shape on each, because she's learned that on-demand isn't automatically cheaper. For the two idle-most-of-the-day tables, on-demand or auto scaling will cut cost sharply. For the busy one, auto scaling on provisioned is likely the cheaper compliant option. The lead commits to moving each table to whichever mode fits its shape.

Two months later DynamoDB spend is down to about $2,600, all DynamoDB.1 findings have cleared, and Priya adds a standing line to the cost pack: "managed-service capacity matched to demand." She knows that if a new flat, overprovisioned table shows up, it's a sign a team spun up a database on defaults and never tuned it — and that's the conversation, not the dollar amount alone.

Why this matters to the budget, not just the bill

The direct impact is overprovisioned throughput billing flat around the clock. For a single heavily-overprovisioned table that can be $1,000-2,000 a month of capacity running at single-digit utilization; across a fleet it's a recurring, quietly-growing slice of database spend that never correlates with business activity. It rarely moves a quarterly number on its own, but it's persistent and it accumulates.

The important budgeting nuance is that the cheapest fix is workload-dependent. For spiky or low-utilization tables, moving to on-demand cuts cost sharply. For steady, high-volume tables running near capacity all day, on-demand can actually cost more than provisioned-with-auto-scaling. So "move everything to on-demand to clear the findings" is the kind of well-intentioned blanket instruction that can raise the bill. The right ask is for engineering to match each table's mode to its traffic shape — and that's a question finance can pose without needing the technical detail.

The third impact is that this category is a tuning signal. A flat, overprovisioned managed-service table usually means it was created on a sizing guess and never revisited. Where you see one, you tend to find the same pattern across other managed services — RDS instances oversized, Kinesis shards overprovisioned. Watching the DynamoDB.1 count is a cheap proxy for whether teams are actively tuning managed services or running them on autopilot.

Finally, because this is a Security Hub finding it touches the compliance posture as well as the bill. That means it competes for engineering attention from two directions at once, which is useful: it's far easier to get a fix prioritized when it clears a compliance finding and reduces spend in the same change.

What finance can actually do about this

Finance can't reconfigure tables, but it can make the right mode the path of least resistance. Three levers at the monthly cadence.

1. Ask the traffic-shape question, not the dollar question

For each flagged table, the useful question isn't "how much is it costing?" but "is the reserved capacity tracking real traffic, and what's the traffic shape?" That single question routes each table to the cheaper compliant mode and stops the well-meaning "just move it all to on-demand" reflex that can raise the bill on steady high-volume tables.

2. Put the DynamoDB.1 count on the standing cost-and-compliance line

Track the number of failing tables alongside DynamoDB spend on the recurring pack. Because this is both a cost item and a Security Hub finding, it earns attention from two directions — pair them on one line so a fix that clears the finding and cuts spend gets the priority it deserves.

3. Make on-demand the budgeted default for new tables

Agree with engineering that new tables default to on-demand unless a steady high-volume workload justifies provisioned-with-auto-scaling. This converts a recurring cleanup chore into a one-time policy and keeps the failing-table count from drifting back up after each cleanup pass.

4. Treat a rising count as a tuning signal

A stable, small number of provisioned tables with auto scaling is fine. A growing count of static-provisioned tables means teams are standing up managed services on defaults without tuning them — and that same habit is inflating spend on services that don't show up as a tidy compliance finding. Watch the trend, not just the absolute dollars.

Quick quiz

Question 1 of 5

Engineering proposes moving every DynamoDB.1-flagged table to on-demand in one sweep to clear the findings fast. One of those tables is a steady ingestion table running near full capacity around the clock. As the finance partner, what's the right response?

Keep learning

Dig deeper into DynamoDB capacity modes, auto scaling, and the control behind this finding.

You've finished the finance partner's view of DynamoDB.1. You know the two pricing models, why on-demand isn't automatically cheaper, and the three finance levers — ask the traffic-shape question, pair the finding count with spend on a standing line, and make on-demand the budgeted default for new tables. Next time this shows up at the review, you'll have a sharper question than "can we just turn on the cheaper mode?"

Back to the library

DynamoDB.1: the headline

A database paying peak rates around the clock for occasional peaks

DynamoDB, one of our core managed databases, can be billed either on a fixed reservation or on actual usage. This finding flags tables on the fixed model with no automatic adjustment — meaning we reserve enough capacity to survive the busiest moment and then pay for that ceiling every hour of every day, regardless of real demand.

It's both a cost and a reliability issue. Underset the reservation and the app throttles real users during a spike; overset it and we burn money on idle headroom. Moving to on-demand or auto scaling makes spend track usage and removes the throttling risk. It's a low-risk configuration change, and it's a good proxy for whether our teams are running managed services on autopilot or actually tuning them.

A short read for the executive who wants the headline and one question to ask. You'll get the two-pricing-models framing, why fixed-capacity databases are both a cost and a reliability risk, and what "good" looks like — managed services tuned to demand rather than left on a static guess. No commands, no implementation detail.

Fun fact

The table provisioned for a launch that never came back

What it looks like when leadership gets this right

At one company, the cloud-cost pack carried a recurring note: "several core databases provisioned for peak, running mostly idle, also flagged by Security Hub." The exec sponsor stopped treating it as a line item and started asking the shape question: "Why are we reserving worst-case capacity on a managed service that can scale itself? Who decided that number and when did they last look at it?"

Within a quarter the answer changed. Databases were moved to on-demand or auto scaling based on their actual traffic, the Security Hub findings cleared, and the spend dropped meaningfully with no reliability cost — in fact throttling incidents went down too. The exec hadn't asked the team to chase dollars; she'd asked why a self-scaling service was being run on a static guess.

That's the right outcome state. The goal isn't "on-demand everywhere" — it's "every managed service tuned to its demand, and nobody paying for a peak that almost never arrives."

Why this is on the report at all

The dollar amount per table is modest, but the pattern matters. A flagged DynamoDB.1 finding means a managed database that can scale itself is instead pinned to a fixed reservation — usually a worst-case guess made once and never revisited. That's simultaneously money spent on idle headroom and a reliability risk if traffic ever outgrows the guess. It's a clean example of a managed service being run on autopilot.

Because it's a Security Hub finding mapped to availability and recovery requirements, it sits at the intersection of cost and compliance posture. Clearing it improves both scorecards in one change, with no reliability trade-off — in practice availability improves, because the table can now absorb spikes it would previously have throttled. The leadership read is simple: a small, stable count of these is normal; a growing count means teams are standing up managed services without tuning them, and that pattern costs far more elsewhere.

The leadership move on this category

The handle for an executive isn't to drive the cost number — it's to set the norm that managed services are tuned to demand, not left on a static guess.

1. Expect managed services to scale with demand by default

Make it the stated expectation that self-scaling services are configured to scale, not pinned to a worst-case reservation. A fixed-capacity database is the visible symptom; the norm you're setting is that teams tune the services they own rather than accept defaults.

2. Treat it as cost and compliance together

This is a Security Hub finding and a spend item at once. Frame the ask so the team sees one change clearing a compliance finding and reducing cost with no reliability trade-off — that combination makes prioritization easy and avoids it sitting untouched between two backlogs.

3. Ask for the trend at the leadership review

"Is the count of fixed-capacity managed services flat or growing?" is a one-minute item that tells you whether teams are tuning their services without needing any technical depth. Flat for a few quarters means the discipline is healthy; growing means autopilot, and that pattern costs more in places the dashboard won't flag as cleanly.

Quick quiz

Question 1 of 5

The cloud pack shows DynamoDB.1 findings have been cleared and the number of fixed-capacity tables has stayed low and flat for three quarters, with spend tracking usage. What's the right read?

Keep learning

Dig deeper into DynamoDB capacity modes, auto scaling, and the control behind this finding.

That's the lesson. Two takeaways: a fixed-capacity managed database is both wasted spend and a reliability risk, and the fix improves cost and compliance posture in the same change. The leadership question is whether managed services are tuned to demand — not the dollar amount on any single table.

Back to the library

Make DynamoDB tables scale capacity with demand

DynamoDB.1: the basics

The table provisioned for a launch that never came back

Fixing a DynamoDB.1 finding in action

DynamoDB capacity modes under the hooddeep dive

What is the impact of a non-scaling DynamoDB table?

How do you make DynamoDB tables scale with demand?

1. Inventory tables and read their real utilization

2. Match the mode to the traffic shape

3. For provisioned tables, attach target-tracking auto scaling

4. Make the compliant choice the default for new tables

Quick quiz

Keep learning

DynamoDB.1: what it means for the bill

The table provisioned for a launch that never came back

How a finance partner frames the choice

Why this matters to the budget, not just the bill

What finance can actually do about this

1. Ask the traffic-shape question, not the dollar question

2. Put the DynamoDB.1 count on the standing cost-and-compliance line

3. Make on-demand the budgeted default for new tables

4. Treat a rising count as a tuning signal

Quick quiz

Keep learning

DynamoDB.1: the headline

The table provisioned for a launch that never came back

What it looks like when leadership gets this right

Why this is on the report at all

The leadership move on this category

1. Expect managed services to scale with demand by default

2. Treat it as cost and compliance together

3. Ask for the trend at the leadership review

Quick quiz

Keep learning

Related compliance lessons