Posted On: Sep 22, 2021
Data plane events provide visibility into the data plane resource operations performed on or within a resource. You now can specify AWS::DynamoDB::Stream as a resource type, so that you can exercise granular control over logging of streams events and non-streams events for DynamoDB. For example, you can log only DynamoDB Stream APIs to narrow the CloudTrail events you receive, enabling you to identify security issues while controlling costs. With CloudTrail data-plane logging, you can record all API activity on DynamoDB, and receive detailed information such as the AWS Identity and Access Management (IAM) user or role that made a request, the time of the request, and the accessed table. DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, creating an audit log of data access so that you can respond to events recorded by CloudTrail.
CloudTrail logging of DynamoDB data plane events is available in all commercial AWS regions where CloudTrail is available. For data plane events pricing, see AWS CloudTrail pricing. To learn more about filtering DynamoDB streams data plane events, see Logging DynamoDB Operations by Using AWS CloudTrail.