How to Audit Amazon DynamoDB Table Access

If you discover that applications are accessing a DynamoDB table or Global Secondary Index (GSI), based on CloudWatch metrics, but you are unsure of which application it is, you can enable audit logging to get more detailed information. DynamoDB supports logging audit events via the AWS CloudTrail service, for “data events,” which include reads and writes of items into tables.

You can use information about applications accessing DynamoDB tables to help optimize them for costs and performance.

Create CloudTrail for DynamoDB

Most organizations have CloudTrail audit logging enabled across all of their AWS accounts and regions, within their AWS Organization structure. However, this configuration may not include “data events” due to the large quantity of log data that may be generated by applications accessing items.

You can create another AWS CloudTrail entity that is scoped specifically to DynamoDB data events, if you need to perform auditing at this level.

When creating a new CloudTrail, be sure to enable Data Events. Check out the below screenshot for an example.

Specify CloudTrail Data Events

When creating a CloudTrail for data events, you’ll also need to specify which data events you specifically want to gather. Many different services support data events, including DynamoDB, S3, SQS, and more.

CloudTrail allows you to create an array of “advanced” rules that target a given service. In the example below, you can see that we’ve selected DynamoDB as the Data Event Type. The Log Selector field allows you to select read / write / custom events.

If you select Custom events, you can add further criteria to narrow down which specific tables you want to monitor, or specific API calls you’re looking to monitor.

CloudTrail requires that you set up an Amazon S3 bucket as a destination for the raw JSON log output. While this is a suitable storage medium for applications needing to ingest and analyze CloudTrail data, it’s not as convenient for engineers who need to quickly visualize the data.

For convenience, you can enable an optional CloudWatch Logs log group to output the CloudTrail logs to, in parallel with S3. CloudWatch Logs is more useful for interactive log analysis, as you can “live tail” the logs directly in the AWS Management Console. No additional tooling or configuration is required.

Monitoring CloudTrail Events in CloudWatch

Now that you’ve configured AWS CloudTrail to emit DynamoDB “data events” into CloudWatch Logs, you can head over to the CloudWatch service to view the logs in near real-time. There is sometimes a few seconds of delay for events to be emitted, so be patient while you’re viewing this data interactively.

Open up the Live Tail view in the CloudWatch console, and select the Log Group that you configured in AWS CloudTrail.

Example CloudTrail Data Event

Here’s an example CloudTrail data event for an Amazon DynamoDB table Scan operation. As you can see, the CloudTrail record provides some detail about the request, such as the User Agent, IP address, and authenticated identity. This information can help you track down your application and determine if that workload is still required or not.

{

    "eventVersion": "1.08",

    "userIdentity": {

        "type": "AssumedRole",

        "principalId": "AROA6FEBJ4UOHYANCKDWF:trevor.sullivan@stratusgrid.com",

        "arn": "arn:aws:sts::973081273628:assumed-role/AWSReservedSSO_AdministratorAccess_4b43232943809da0/trevor.sullivan@stratusgrid.com",

        "accountId": "973081273628",

        "accessKeyId": "ASIA6FEBJ4UOE6M4MSEH",

        "sessionContext": {

            "sessionIssuer": {

                "type": "Role",

                "principalId": "AROA6FEBJ4UOHYAACKDWF",

                "arn": "arn:aws:iam::973081273628:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_4b43232943809da0",

                "accountId": "973081273628",

                "userName": "AWSReservedSSO_AdministratorAccess_4b43232943809da0"

            },

            "attributes": {

                "creationDate": "2024-04-04T05:42:34Z",

                "mfaAuthenticated": "false"

            }

        }

    },

    "eventTime": "2024-04-04T06:22:09Z",

    "eventSource": "dynamodb.amazonaws.com",

    "eventName": "Scan",

    "awsRegion": "us-west-1",

    "sourceIPAddress": "200.12.121.30",

    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",

    "requestParameters": {

        "tableName": "trevor-products",

        "select": "ALL_ATTRIBUTES",

        "limit": 300,

        "consistentRead": false,

        "returnConsumedCapacity": "TOTAL"

    },

    "responseElements": null,

    "requestID": "3Q1P8G5923DI3E5DEQD6G26P3JVV4KQNSO5AEMVJF66Q9ASUAAJG",

    "eventID": "b545a0b7-bb47-4428-8934-4b4e5513931b",

    "readOnly": true,

    "resources": [

        {

            "accountId": "973081273628",

            "type": "AWS::DynamoDB::Table",

            "ARN": "arn:aws:dynamodb:us-west-1:973081273628:table/trevor-products"

        }

    ],

    "eventType": "AwsApiCall",

    "apiVersion": "2012-08-10",

    "managementEvent": false,

    "recipientAccountId": "973081273628",

    "eventCategory": "Data",

    "tlsDetails": {

        "tlsVersion": "TLSv1.3",

        "cipherSuite": "TLS_AES_128_GCM_SHA256",

        "clientProvidedHostHeader": "dynamodb.us-west-1.amazonaws.com"

    },

    "sessionCredentialFromConsole": "true"

}

See Stratusphere™ FinOps in Action Here