How to Audit Amazon DynamoDB Table Access

Enable AWS CloudTrail audit logging for DynamoDB. Optimize performance & costs by tracking application access & monitoring logs with CloudWatch.

Need additional support?


If you discover that applications are accessing a DynamoDB table or Global Secondary Index (GSI), based on CloudWatch metrics, but you are unsure of which application it is, you can enable audit logging to get more detailed information. DynamoDB supports logging audit events via the AWS CloudTrail service, for “data events,” which include reads and writes of items into tables.

You can use information about applications accessing DynamoDB tables to help optimize them for costs and performance.

Create CloudTrail for DynamoDB

Most organizations have CloudTrail audit logging enabled across all of their AWS accounts and regions, within their AWS Organization structure. However, this configuration may not include “data events” due to the large quantity of log data that may be generated by applications accessing items.

You can create another AWS CloudTrail entity that is scoped specifically to DynamoDB data events, if you need to perform auditing at this level.

When creating a new CloudTrail, be sure to enable Data Events. Check out the below screenshot for an example.


Specify CloudTrail Data Events

When creating a CloudTrail for data events, you’ll also need to specify which data events you specifically want to gather. Many different services support data events, including DynamoDB, S3, SQS, and more.

CloudTrail allows you to create an array of “advanced” rules that target a given service. In the example below, you can see that we’ve selected DynamoDB as the Data Event Type. The Log Selector field allows you to select read / write / custom events.

If you select Custom events, you can add further criteria to narrow down which specific tables you want to monitor, or specific API calls you’re looking to monitor.


CloudTrail requires that you set up an Amazon S3 bucket as a destination for the raw JSON log output. While this is a suitable storage medium for applications needing to ingest and analyze CloudTrail data, it’s not as convenient for engineers who need to quickly visualize the data.

For convenience, you can enable an optional CloudWatch Logs log group to output the CloudTrail logs to, in parallel with S3. CloudWatch Logs is more useful for interactive log analysis, as you can “live tail” the logs directly in the AWS Management Console. No additional tooling or configuration is required.


Monitoring CloudTrail Events in CloudWatch

Now that you’ve configured AWS CloudTrail to emit DynamoDB “data events” into CloudWatch Logs, you can head over to the CloudWatch service to view the logs in near real-time. There is sometimes a few seconds of delay for events to be emitted, so be patient while you’re viewing this data interactively.

Open up the Live Tail view in the CloudWatch console, and select the Log Group that you configured in AWS CloudTrail.

Example CloudTrail Data Event

Here’s an example CloudTrail data event for an Amazon DynamoDB table Scan operation. As you can see, the CloudTrail record provides some detail about the request, such as the User Agent, IP address, and authenticated identity. This information can help you track down your application and determine if that workload is still required or not.


    "eventVersion": "1.08",

    "userIdentity": {

        "type": "AssumedRole",

        "principalId": "",

        "arn": "arn:aws:sts::973081273628:assumed-role/AWSReservedSSO_AdministratorAccess_4b43232943809da0/",

        "accountId": "973081273628",

        "accessKeyId": "ASIA6FEBJ4UOE6M4MSEH",

        "sessionContext": {

            "sessionIssuer": {

                "type": "Role",

                "principalId": "AROA6FEBJ4UOHYAACKDWF",

                "arn": "arn:aws:iam::973081273628:role/aws-reserved/",

                "accountId": "973081273628",

                "userName": "AWSReservedSSO_AdministratorAccess_4b43232943809da0"


            "attributes": {

                "creationDate": "2024-04-04T05:42:34Z",

                "mfaAuthenticated": "false"




    "eventTime": "2024-04-04T06:22:09Z",

    "eventSource": "",

    "eventName": "Scan",

    "awsRegion": "us-west-1",

    "sourceIPAddress": "",

    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36",

    "requestParameters": {

        "tableName": "trevor-products",

        "select": "ALL_ATTRIBUTES",

        "limit": 300,

        "consistentRead": false,

        "returnConsumedCapacity": "TOTAL"


    "responseElements": null,

    "requestID": "3Q1P8G5923DI3E5DEQD6G26P3JVV4KQNSO5AEMVJF66Q9ASUAAJG",

    "eventID": "b545a0b7-bb47-4428-8934-4b4e5513931b",

    "readOnly": true,

    "resources": [


            "accountId": "973081273628",

            "type": "AWS::DynamoDB::Table",

            "ARN": "arn:aws:dynamodb:us-west-1:973081273628:table/trevor-products"



    "eventType": "AwsApiCall",

    "apiVersion": "2012-08-10",

    "managementEvent": false,

    "recipientAccountId": "973081273628",

    "eventCategory": "Data",

    "tlsDetails": {

        "tlsVersion": "TLSv1.3",

        "cipherSuite": "TLS_AES_128_GCM_SHA256",

        "clientProvidedHostHeader": ""


    "sessionCredentialFromConsole": "true"


See Stratusphere™ FinOps in Action Here


Try Stratusphere™ FinOps for Free Today!

Unlock the full potential of your cloud operations with Stratusphere™ FinOps.

With Stratusphere™ FinOps, you gain access to powerful insights that help reduce your spending without impacting performance. Start your free trial now and experience firsthand how Stratusphere™ FinOps can transform your organization’s efficiency and cost-effectiveness. 

Contact us for more information.



Similar posts