Posted On: Mar 24, 2021

AWS CloudTrail now supports logging of data events for Amazon DynamoDB. With this new feature, you can now use CloudTrail to log item-level DynamoDB activity from all your DynamoDB tables or specific tables with read-only and write-only filters. You can also use CloudTrail advanced event selectors for more granular control of which data events you want to log from DynamoDB. All DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, which creates an audit log of data access and allows you to respond to events recorded by CloudTrail. Details on when and who made DynamoDB API calls enhances data visibility for security and operations engineering teams. For example, you can quickly determine which DynamoDB items were created, read, updated or deleted and identify the source of the API calls. If you detect unauthorized DynamoDB activity, you can also take immediate action to restrict access.

You can turn on logging for Amazon DynamoDB using the AWS CloudTrail console, AWS CLI, and SDKs. When creating a new trail (recommended) or editing an existing trail, you can select which DynamoDB tables you wish to monitor; you can configure whether read-only, write-only, or both types of events should be captured for the trail; and you can use advanced event selectors for additional control. CloudTrail logging of DynamoDB data events is available in all commercial AWS regions. Please read our documentation to get started with DynamoDB data events. Please visit our product page for more information about AWS CloudTrail and our pricing page to learn more about data events pricing.