# DynamoDB
AWS Systems Manager Automation provides predefined runbooks for Amazon DynamoDB. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWS-ChangeDDBRWCapacityMode`](change-read-write-capacity.md)
+ [`AWS-CreateDynamoDBBackup`](automation-aws-createdynamodbbackup.md)
+ [`AWS-DeleteDynamoDbBackup`](automation-aws-deletedynamodbbackup.md)
+ [`AWSConfigRemediation-DeleteDynamoDbTable`](automation-aws-deletedynamodbtable.md)
+ [`AWS-DeleteDynamoDbTableBackups`](automation-aws-deletedynamodbtablebackups.md)
+ [`AWSConfigRemediation-EnableEncryptionOnDynamoDbTable`](automation-aws-enable-ddb-encrypt.md)
+ [`AWSConfigRemediation-EnablePITRForDynamoDbTable`](automation-aws-enable-pitr-ddb.md)
+ [`AWS-EnableDynamoDbAutoscaling`](AWS-EnableDynamoDbAutoscaling.md)
+ [`AWS-RestoreDynamoDBTable`](aws-restore-dynamodb-table.md)
# `AWS-ChangeDDBRWCapacityMode`
**Description**
The `AWS-ChangeDDBRWCapacityMode` runbook changes the read/write capacity mode for one or more Amazon DynamoDB (DynamoDB) tables to either on-demand mode, or provisioned mode.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ChangeDDBRWCapacityMode)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ CapacityMode
Type: String
Valid values: PROVISIONED \$1 PAY\$1PER\$1REQUEST
Description: (Required) The desired read/write capacity mode. When switching from on-demand(pay-per-request) to provisioned capacity, initial provisioned capacity values must be set. The initial provisioned capacity values are estimated based on the consumed read and write capacity of your table and global secondary indexes over the past 30 minutes.
+ ReadCapacityUnits
Type: Integer
Default: 0
Description: (Optional) The maximum number of strongly consistent reads consumed per second before DynamoDB returns a throttling exception.
+ TableNames
Type: String
Description: (Required) Comma separated list of DynamoDB table names to change the read/write capacity mode for..
+ WriteCapacityUnits
Type: Integer
Default: 0
Description: (Optional) The maximum number of writes consumed per second before DynamoDB returns a throttling exception.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `dynamodb:DescribeTable`
+ `dynamodb:UpdateTable`
**Document Steps**
+ `aws:executeScript` - Changes the read/write capacity mode for the DynamoDB tables specified in the `TableNames` parameter.
**Outputs**
ChangeDDBRWCapacityMode.SuccessesTables - List of DynamoDB table names where the capacity mode was successfully changed
ChangeDDBRWCapacityMode.FailedTables - Maplist of DynamoDB table names where changing the capacity mode failed and the reason for the failure.
# `AWS-CreateDynamoDBBackup`
**Description**
Create a backup of an Amazon DynamoDB table.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateDynamoDBBackup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BackupName
Type: String
Description: (Required) Name of the backup to create.
+ LambdaAssumeRole
Type: String
Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not specified a transient role will be created to run the Lambda function.
+ TableName
Type: String
Description: (Required) Name of the DynamoDB table.
# `AWS-DeleteDynamoDbBackup`
**Description**
Delete the backup of an Amazon DynamoDB table.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-DeleteDynamoDbBackup)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BackupArn
Type: String
Description: (Required) ARN of the DynamoDB table backup to delete.
# `AWSConfigRemediation-DeleteDynamoDbTable`
**Description**
The `AWSConfigRemediation-DeleteDynamoDbTable` runbook deletes the Amazon DynamoDB (DynamoDB) table you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteDynamoDbTable)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ TableName
Type: String
Description: (Required) The name of the DynamoDB table you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `dynamodb:DeleteTable`
+ `dynamodb:DescribeTable`
**Document Steps**
+ `aws:executeScript` - Deletes the DynamoDB table specified in the `TableName` parameter.
+ `aws:executeScript` - Verifies the DynamoDB table has been deleted.
# `AWS-DeleteDynamoDbTableBackups`
**Description**
Delete DynamoDB table backups based on retention days or count.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-DeleteDynamoDbTableBackups)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ LambdaAssumeRole
Type: String
Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not specified a transient role will be created to run the Lambda function.
+ RetentionCount
Type: String
Default: 10
Description: (Optional) The number of backups to retain for the table. If more than the specified number of backup exist, the oldest backups beyond that number are deleted. Either RetentionCount or RetentionDays can be used, not both.
+ RetentionDays
Type: String
Description: (Optional) The number of days to retain backups for the table. Backups older than the specified number of days are deleted. Either RetentionCount or RetentionDays can be used, not both.
+ TableName
Type: String
Description: (Required) Name of the DynamoDB table.
# `AWSConfigRemediation-EnableEncryptionOnDynamoDbTable`
**Description**
The `AWSConfigRemediation-EnableEncryptionOnDynamoDbTable` runbook encrypts an Amazon DynamoDB (DynamoDB) table using the AWS Key Management Service (AWS KMS) customer managed key you specify for the `KMSKeyId` parameter.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableEncryptionOnDynamoDbTable)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ KMSKeyId
Type: String
Description: (Required) The ARN of the customer managed key you want to use to encrypt the DynamoDB table you specify in the `TableName` parameter.
+ TableName
Type: String
Description: (Required) The name of the DynamoDB table you want to encrypt.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `dynamodb:DescribeTable`
+ `dynamodb:UpdateTable`
**Document Steps**
+ `aws:executeAwsApi` - Encrypts the DynamoDB table you specify in the `TableName` parameter.
+ `aws:waitForAwsResourceProperty` - Verifies the `Enabled` property for the DynamoDB table's `SSESpecification` is set to `true` .
+ `aws:assertAwsResourceProperty` - Verifies the DynamoDB table is encrypted with the customer managed key specified in the `KMSKeyId` parameter.
# `AWSConfigRemediation-EnablePITRForDynamoDbTable`
**Description**
The `AWSConfigRemediation-EnablePITRForDynamoDbTable` runbook enables point-in-time recovery (PITR) on the Amazon DynamoDB table you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnablePITRForDynamoDbTable)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ TableName
Type: String
Description: (Required) The name of the DynamoDB table to enable point-in-time recovery on.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `dynamodb:DescribeContinuousBackups `
+ `dynamodb:UpdateContinuousBackups`
**Document Steps**
+ `aws:executeAwsApi` - Enables point-in-time recovery on the DynamoDB table you specify in the `TableName` parameter.
+ `aws:assertAwsResourceProperty` - Confirms point-in-time recovery is enabled on the DynamoDB table.
# `AWS-EnableDynamoDbAutoscaling`
**Description**
The `AWS-EnableDynamoDbAutoscaling` runbook enables Application Auto Scaling for the provisioned capacity Amazon DynamoDB table you specify. Application Auto Scaling dynamically adjusts provisioned throughput capacity in response to traffic patterns. For more information, see [ Managing throughput capacity automatically with DynamoDB auto scaling ](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html) in the *Amazon DynamoDB Developer Guide*.
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ TableName
Type: String
Description: (Required) The name of the DynamoDB table you want to enable Application Auto Scaling on.
+ MinReadCapacity
Type: Integer
Description: (Required) The minimum number of provisioned throughput read capacity units for the DynamoDB table.
+ MaxReadCapacity
Type: Integer
Description: (Required) The maximum number of provisioned throughput read capacity units for the DynamoDB table.
+ TargetReadCapacityUtilization
Type: Integer
Description: (Required) The desired target read capacity utilization. Target utilization is the percentage of consumed provisioned throughput at a point in time. You can set the auto scaling target utilization values between 20 and 90 percent.
+ ReadScaleOutCooldown
Type: Integer
Description: (Required) The amount of time in seconds to wait for a previous read capacity scale-out activity to take effect.
+ ReadScaleInCooldown
Type: Integer
Description: (Required) The amount of time in seconds after a read capacity scale-in activity completes before another scale-in activity can start.
+ MinWriteCapacity
Type: Integer
Description: (Required) The minimum number of provisioned throughput write units for the DynamoDB table.
+ MaxWriteCapacity
Type: Integer
Description: (Required) The maximum number of provisioned throughput write units for the DynamoDB table.
+ TargetWriteCapacityUtilization
Type: Integer
Description: (Required) The desired target write capacity utilization. Target utilization is the percentage of consumed provisioned throughput at a point in time. You can set the auto scaling target utilization values between 20 and 90 percent.
+ WriteScaleOutCooldown
Type: Integer
Description: (Required) The amount of time in seconds to wait for a previous write capacity scale-out activity to take effect.
+ WriteScaleInCooldown
Type: Integer
Description: (Required) The amount of time in seconds after a write capacity scale-in activity completes before another scale-in activity can start.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
+ `application-autoscaling:DescribeScalableTargets`
+ `application-autoscaling:DescribeScalingPolicies`
+ `application-autoscaling:PutScalingPolicy`
+ `application-autoscaling:RegisterScalableTarget`
+ RegisterAppAutoscalingTargetWrite (`aws:executeAwsApi`) - Configures Application Auto Scaling on the DynamoDB table you specify.
+ RegisterAppAutoscalingTargetWriteDelay (`aws:sleep`) - Sleeps to avoid API throttling.
+ PutScalingPolicyWrite (`aws:executeAwsApi`) - Configures the target write capacity utilization for the DynamoDB table.
+ PutScalingPolicyWriteDelay (`aws:sleep`) - Sleeps to avoid API throttling.
+ RegisterAppAutoscalingTargetRead (`aws:executeAwsApi`) - Configures minimum and maximum read capacity units for the DynamoDB table.
+ RegisterAppAutoscalingTargetReadDelay (`aws:sleep`) - Sleeps to avoid API throttling.
+ PutScalingPolicyRead (`aws:executeAwsApi`) - Configures the target read capacity utilization for the DynamoDB table.
+ VerifyDynamoDbAutoscalingEnabled (`aws:executeScript`) - Verifies Application Auto Scaling is enabled for the DynamoDB table according to the values you specify.
**Outputs**
+ RegisterAppAutoscalingTargetWrite.Response
+ PutScalingPolicyWrite.Response
+ RegisterAppAutoscalingTargetRead.Response
+ PutScalingPolicyRead.Response
+ VerifyDynamoDbAutoscalingEnabled.DynamoDbAutoscalingEnabledResponse
# `AWS-RestoreDynamoDBTable`
**Description**
The `AWS-RestoreDynamoDBTable` runbook restores the Amazon DynamoDB table that you specify using point-in-time recovery (PITR).
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-RestoreDynamoDBTable)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ EnablePointInTimeRecoverAsNeeded
Type: Boolean
Default: true
Description: (Optional) Determines whether the automation turns on point-in-time recovery as needed to restore the table.
+ GlobalSecondaryIndexOverride
Type: String
Description: (Optional) The new global secondary indexes to replace the existing secondary indexes for the new table.
+ LocalSecondaryIndexOverride
Type: String
Description: (Optional) The new local secondary indexes to replace the existing secondary indexes for the new table.
+ RestoreDateTime
Type: String
Description: (Required) The point-in-time recovery that you want to restore your table to during the last 35 days. Specify the date and time using the following format: `DD/MM/YYYY HH:MM:SS`
+ SourceTableArn
Type: String
Description: (Required) The ARN of the table that you want to restore.
+ SseSpecificationOverride
Type: String
Description: (Optional) The server-side encryption settings to use for the new table.
+ TargetTableName
Type: String
Description: (Required) The name of the table to restore.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `dynamodb:BatchWriteItem`
+ `dynamodb:DeleteItem`
+ `dynamodb:DescribeTable`
+ `dynamodb:GetItem`
+ `dynamodb:PutItem`
+ `dynamodb:Query`
+ `dynamodb:RestoreTableToPointInTime`
+ `dynamodb:Scan`
+ `dynamodb:UpdateItem`
**Document Steps**
+ `aws:executeScript` - Restores the DynamoDB table that you specify in the `TargetTableName` parameter using point-in-time recovery.