AWS Database Blog

Amazon DynamoDB now supports audit logging and monitoring using AWS CloudTrail

Amazon DynamoDB is a fully managed, multi-Region, multi-active database that delivers reliable performance at any scale. Because of the flexible DynamoDB data model, enterprise-ready features, and industry-leading service level agreement, customers are increasingly moving sensitive workloads to DynamoDB. Regulated industries (e.g., education, media, finance, and healthcare) may require detailed information about data access activity to help implement security controls and meet industry requirements, including compliance, auditing, and governance of their AWS accounts.

Previously, you could use AWS CloudTrail to log control plane activity on your DynamoDB tables and glean information such as who created or deleted a table and when a table was changed. You can now enable data plane activity logging for fine-grained monitoring of all DynamoDB item activity within a table by using CloudTrail. If you’re a database administrator or security professional, you can use this information as part of an audit, to help address compliance requirements, and to monitor which AWS Identity and Access Management (IAM) users, roles, and permissions are being used to access table data. CloudTrail records DynamoDB data events and publishes the log files to an Amazon Simple Storage Service (Amazon S3) bucket. Each event carries information, such as who performed an action and when, which resources were impacted, and many other details. Events are combined in JSON format and saved in CloudTrail log files. With these files, you can track and understand when, for example, an IAM user accessed sensitive information stored in a DynamoDB table.

In this post, we show how to create a new trail on the CloudTrail console and enable data event logging for a DynamoDB table. You can use this trail to monitor, alarm, and archive item-level activity on a table.

Solution overview

This walkthrough provides a step-by-step example of how to create a DynamoDB table, create a CloudTrail trail, enable data events for DynamoDB, create a DynamoDB item, and then review the CloudTrail event. The post assumes that you’re working with an IAM role that can access DynamoDB, CloudTrail, and Amazon S3. If you don’t have an IAM role to access these resources, it’s recommended that you work with your AWS account administrator. The AWS usage in this post alone falls within the Free Tier, but if you consume resources beyond the walkthrough, you could incur associated costs. It’s recommended that you remove resources after the walkthrough.

Creating a DynamoDB table

To log DynamoDB data events in CloudTrail, you first need a DynamoDB table. For the purposes of this blog post, we create a basic table to follow along with this post.

  1. On the DynamoDB console, in the navigation pane, choose Dashboard.
  2. Choose Create table.
  3. For Table name, enter DynamoDB-CloudTrail.
  4. For Partition key, enter pk.
  5. Leave Sort key
  6. Select Default settings.

  1. Choose Create to create the table.

Now that you have created the DynamoDB table, you can create and configure the CloudTrail trail to log the data events on the table.

Creating a trail

Before you enable data event logging in CloudTrail so that you can monitor item-level activity on the DynamoDB table, you must first create a new CloudTrail trail. For a detailed explanation about trail attributes, see Creating a Trail.

  1. On the CloudTrail console, choose Create a trail.
  2. Choose Trails in the navigation pane.
  3. Choose Create trail.
  4. For Trail name, enter DynamoDB-DataEvents-Trail.
  5. For Storage location, select Create new S3 bucket.
  6. For Trail log bucket and folder, enter an S3 bucket name.

The console suggests a new bucket name, which must be unique across all existing bucket names in Amazon S3. You also can choose to make your own unique bucket name.

  1. Log file SSE-KMS encryption is an additional setting that, if required by your security controls, requires you to use either a new or existing AWS Key Management Service (AWS KMS) customer managed key.
  2. The remaining configurations are optional enhancements.

9. Choose Next. 

You’re redirected to the Choose log events page of the Create trail wizard.

Enabling CloudTrail data event logging

To enable CloudTrail data event logging for items in your DynamoDB table, complete the following steps:

  1. On the Choose log events page, choose Data events.
  2. Deselect Management events.
  3. Select Data events.

DynamoDB data event logging is enabled on a per-table basis in CloudTrail and is disabled by default. This resource-specific configuration allows for data events to be logged on sensitive tables for security and compliance requirements or audit purposes.

  1. For Data event source, choose DynamoDB.

The default option is to log data events for all DynamoDB tables, but you can deselect the Read and Write check boxes to select individual tables in the subsequent section.

  1. Choose Browse to choose the DynamoDB table that you created initially.
  2. Choose Next.

  1. On the Review and create page, review the configuration and choose Create trail.

Now that you have a new trail, you can create and delete an item in the DynamoDB table.

  1. On the details page for DynamoDB table you created, choose Create item.

  1. Enter the data to insert as a table item.

For simplicity, you can disable View DynamoDB JSON and enter values to correspond with the item pk, as shown in the following screenshot.

  1. Choose Create item.

You can see the new item you created in the Items preview section. You also can delete this item by selecting the item and choosing Delete item(s) from the Actions menu.

Understanding and using data event records

Creating and deleting items creates data event records in the newly created trail, which you can view in CloudTrail. The following code example shows a CloudTrail record of a DeleteItem action, which is the action you performed in the previous step:

{
    "eventVersion": "1.06",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "<principalID>:<principalIdName>",
        "arn": "arn:aws:sts:: <accountId>:assumed-role/<username>/<principalIdName>",
        "accountId": "<accountId>",
        "accessKeyId": "<accessKeyId>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "<principalID>",
                "arn": "arn:aws:iam:: <accountId>:role/<username>",
                "accountId": <accountId>",
                "userName": "<username>"
            },
            "attributes": {
                "creationDate": "2020-10-01T20:00:25Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2020-10-20T15:00:25Z ",
    "eventSource": "dynamodb.amazonaws.com",
    "eventName": "DeleteItem",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<source-IP>",
    "userAgent": "console.amazonaws.com",
    "requestParameters": {
        "tableName": "<tableName>",
        "key": {
            "key": "<partitionKey>"
        },
        "returnValue": "NONE",
        "returnConsumedCapacity": "NONE"
    },
    "responseElements": null,
    "requestID": "<requestID>",
    "eventID": "<eventID>",
    "readOnly": false,
    "resources": [
        {
            "accountId": "<accountId>",
            "type": "AWS::DynamoDB::Table",
            "ARN": "arn:aws:dynamodb:us-east-1:<accountId>:table/<TableName>"
        }
    ],
    "eventType": "AwsApiCall",
    "apiVersion": "2012-08-10",
    "managementEvent": false,
    "recipientAccountId": "<accountId>",
}   

The preceding CloudTrail record is for a single request to DynamoDB, and it details the user and data request information. The record includes a detailed attribution of the principal and the assumed role sessionContext that sent the request, as well as the sourceIPAddress and userAgent (in this case, the console), and whether the user was mfaAuthenticated (not in this case). In addition to the user identity, each record contains detailed information about the data event on DynamoDB. These details include requestParameters, tableName, key, eventName, and more. If a request fails, the error code also is logged. The record combines user and activity, which makes monitoring, alarming, and archiving possible for security and compliance requirements.

This record’s user and data event attribution is the information your security team needs to identify a bad actor and build an authoritative reference of compromised activity. Security teams across industries, including finance, healthcare, education, and social media, use these attribution systems not only as detective and preventive controls (identifying and blocking access), but also as a corrective control (impact analysis).

Given the potentially high volume of requests per second on a DynamoDB table, it’s important that you consider how you use your data event logs. If your logs are for audit purposes, you should keep the logs active all the time and apply appropriate data lifecycle policies to the data in the S3 bucket. However, if you need the data event logs only for specific activities, such as user access audits, user behavior validation, or troubleshooting, you can enable and disable data event logging situationally in CloudTrail.

For robust monitoring and alerting, you also can integrate data events with Amazon CloudWatch Logs. To enhance your analysis of DynamoDB service activity and identify changes in activities for an AWS account, you can query AWS CloudTrail logs using Amazon Athena. For example, you can use queries to identify trends and further isolate activity by attributes, such as source IP address or user.

Cleaning up

After you create a DynamoDB table and CloudTrail trail, enable data events, create a DynamoDB item, and review the result in CloudTrail, you should remove any resources that you created in this process. Resources that remain active can incur associated costs.

Conclusion

In this post, we showed how you can use CloudTrail to enable data plane event logging on DynamoDB tables so you can extract invaluable insights to help meet your organization’s security practices for compliance and auditing purposes. To learn more about DynamoDB data plane event logging, see Logging DynamoDB Operations by Using AWS CloudTrail. Additional charges apply for data events. For more information, see AWS CloudTrail pricing.


About the Authors

Mazen Ali is a Senior Technical Product Manager on the Amazon DynamoDB team.