Posted On: Sep 22, 2021

You now can use AWS CloudTrail to filter and retrieve Amazon DynamoDB Streams data-plane API activity, giving you more granular control over which DynamoDB API calls you want to selectively log and pay for in CloudTrail and to help address compliance and auditing requirements.

Data plane events provide visibility into the data plane resource operations performed on or within a resource. You now can specify AWS::DynamoDB::Stream as a resource type, so that you can exercise granular control over logging of streams events and non-streams events for DynamoDB. For example, you can log only DynamoDB Stream APIs to narrow the CloudTrail events you receive, enabling you to identify security issues while controlling costs. With CloudTrail data-plane logging, you can record all API activity on DynamoDB, and receive detailed information such as the AWS Identity and Access Management (IAM) user or role that made a request, the time of the request, and the accessed table. DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, creating an audit log of data access so that you can respond to events recorded by CloudTrail.

CloudTrail logging of DynamoDB data plane events is available in all commercial AWS regions where CloudTrail is available. For data plane events pricing, see AWS CloudTrail pricing. To learn more about filtering DynamoDB streams data plane events, see Logging DynamoDB Operations by Using AWS CloudTrail.