Posted On: Mar 24, 2021

Amazon CloudTrail now supports logging of data events for Amazon DynamoDB. With this new feature, you can now use CloudTrail to log item-level DynamoDB activity from all your DynamoDB tables or specific tables with read-only and write-only filters. You can also use CloudTrail advanced event selectors for more granular control of events you want to log. All DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, which creates an audit log of all data access for compliance purposes and allows you to respond to events recorded by CloudTrail. Details on when and who made DynamoDB API calls enhances data visibility for security and operations engineering teams. For example, you can quickly determine which DynamoDB items were created, read, updated or deleted in the past three days and identify the source of the API calls. If you detect unauthorized DynamoDB activity, you can also take immediate action to restrict access.

You can turn on logging for Amazon DynamoDB using the Amazon CloudTrail console, CLI, and SDKs. When creating a new trail (recommended) or editing an existing trail, you can select which DynamoDB tables you wish to monitor and you can also configure whether read only, write only, or both types of events should be captured for the trail or use CloudTrail’s advanced event selectors. CloudTrail logging of DynamoDB data events is available in all public Amazon Web Services regions. Please read our documentation to get started with DynamoDB data events. Please visit our product page for more information about Amazon CloudTrail and our pricing page to learn more about data events pricing.