Posted On: May 3, 2021

You now can use Amazon CloudTrail to log Amazon DynamoDB Streams data-plane APIs – GetRecords and GetShardIterator – to monitor and investigate item-level changes in your DynamoDB tables. Previously, you could use CloudTrail to log DynamoDB Streams control plane activity (and not data-plane activity) on your DynamoDB tables.

With CloudTrail data-plane logging, you can record all API activity on DynamoDB, and receive detailed information such as the Amazon Identity and Access Management (IAM) user or role that made a request, the time of the request, and the accessed table. To configure data-plane events for DynamoDB, in the CloudTrail console or with the Amazon CLI or Amazon API, specify DynamoDB as the data event type and then choose the DynamoDB tables for which you want CloudTrail to record data-plane API activity. When you enable data plane logging on your DynamoDB table, the streams data plane APIs will be automatically logged in CloudTrail. You also can configure whether read-only, write-only, or both types of events are captured for the trail. All DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, creating an audit log of data access so that you to respond to events recorded by CloudTrail.

This feature is now available in in the Amazon Web Services China (Beijing) region, operated by Sinnet and Amazon Web Services China (Ningxia) region, operated by NWCD. To learn more about DynamoDB Streams, see Change Data Capture for DynamoDB Streams.