Posted On: Apr 20, 2021
You now can use AWS CloudTrail to log Amazon DynamoDB Streams data-plane APIs—GetRecords and GetShardIterator—to monitor and investigate item-level changes in your DynamoDB tables. Previously, you could use CloudTrail to log DynamoDB Streams control-plane activity (and not data-plane activity) on your DynamoDB tables.
With CloudTrail data-plane logging, you can record all API activity on DynamoDB, and receive detailed information such as the AWS Identity and Access Management (IAM) user or role that made a request, the time of the request, and the accessed table. To configure data-plane events for DynamoDB, in the CloudTrail console or with the AWS CLI or AWS API, specify DynamoDB as the data event type and then choose the DynamoDB tables for which you want CloudTrail to record data-plane API activity. When you enable data-plane logging on your DynamoDB table, the stream's data plane APIs are logged automatically in CloudTrail. You also can configure whether read-only, write-only, or both types of events are captured for the trail. All DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, creating an audit log of data access so that you can respond to events recorded by CloudTrail.
To learn more about this feature, see Logging DynamoDB Operations by Using AWS CloudTrail, or see Amazon DynamoDB now supports audit logging and monitoring using AWS CloudTrail. To learn more about DynamoDB Streams, see Change Data Capture for DynamoDB Streams.