Posted On: Sep 22, 2021
You now can use Amazon CloudTrail to filter and retrieve Amazon DynamoDB Streams data-plane API activity, giving you more granular control over which DynamoDB API calls you want to selectively log and pay for in CloudTrail and to help address compliance and auditing requirements.
Data plane events provide visibility into the data plane resource operations performed on or within a resource. You now can specify Amazon::DynamoDB::Stream as a resource type, so that you can exercise granular control over logging of streams events and non-streams events for DynamoDB. For example, you can log only DynamoDB Stream APIs to narrow the CloudTrail events you receive, enabling you to identify security issues while controlling costs. With CloudTrail data-plane logging, you can record all API activity on DynamoDB, and receive detailed information such as the Amazon Identity and Access Management (IAM) user or role that made a request, the time of the request, and the accessed table. DynamoDB data events are delivered to an Amazon S3 bucket and Amazon CloudWatch Events, creating an audit log of data access so that you can respond to events recorded by CloudTrail.
CloudTrail logging of DynamoDB data plane events is available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. For data plane events pricing, see Amazon CloudTrail pricing. To learn more about filtering DynamoDB streams data plane events, see Logging DynamoDB Operations by Using Amazon CloudTrail.