Posted On: Mar 24, 2021

Now you can use Amazon CloudTrail to log data-plane API activity to monitor, alarm, and archive item-level activity in your Amazon DynamoDB tables. You can use this information about item-level activity as part of an audit, to help address compliance requirements, and monitor which Amazon Identity and Access Management (IAM) users, roles, and permissions are being used to access your table data.

With CloudTrail data-plane logging, you can record all API activity on DynamoDB, and receive detailed information such as the IAM user or role that made the request, the time of the request, and the accessed table. To configure data-plane events for DynamoDB, in the CloudTrail console or with the Amazon CLI or Amazon API, specify DynamoDB as the data event type and then choose the DynamoDB tables for which you want CloudTrail to record data-plane API activity. You also can configure whether read-only, write-only, or both types of events are captured for the trail. CloudTrail records and delivers DynamoDB data events to the same Amazon S3 bucket to which it already delivers your log files for other Amazon Web Services services.

This feature is now available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more, see Logging DynamoDB Operations by Using Amazon CloudTrail. To learn more about DynamoDB data-events pricing, see CloudTrail pricing.