AI CloudAdvisor (Beta)

My Presets

You must be logged in to save or view your saved configuration templates

Security Controls

Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack
0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

Logging & Monitoring Configurations

DynamoDB Data Event Logging with CloudTrail

Configuration to enable AWS CloudTrail in an AWS account for logging DynamoDB Data Events. Data Events for Amazon DynamoDB record object-level API activity (for example, Query, PuItem, Scan, DeleteItem, GetItem, etc.)

Configuration templates also include the following:

  • Create a new S3 bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Create a CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 
  • Include Management Events (AWS services' control plane activity) in an AWS Account.
  • Include Data Events for Lambda, DynamoDB, and/or S3 to record data plane operations
  • Additional CloudTrail settings:
    • Log File Validation
    • Log Encryption with KMS
  • Organization Trail: Creates this trail for the whole AWS Organization. When this option is enabled, the configuration should be deployed in the Orgaizations' management account
Try out CloudAdvisor: Your AI-Powered Assistant for AWS Cloud

Items
3
Size
1.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: GlobalS3DataEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - DataResources:
            - Type: 'AWS::DynamoDB::Table'
              Values:
                - 'arn:aws:dynamodb'
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrailCloudTrail
    DependsOn: S3BucketPolicy
  S3BucketForCloudTrailCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties: {}
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: S3BucketForCloudTrailCloudTrail
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSCloudTrailBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource:
              'Fn::GetAtt':
                - S3BucketForCloudTrailCloudTrail
                - Arn
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource:
              'Fn::Join':
                - ''
                - - 'Fn::GetAtt':
                      - S3BucketForCloudTrailCloudTrail
                      - Arn
                  - /AWSLogs/*
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Trail Settings

 
 
 

S3 Bucket Settings

CloudWatch Settings

* Required field

Upgrade to Premium for More Features
Sign up

Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
  • 350+ security checks
  • Well-architected reviews
  • Detailed compliance reports
  • Remediation templates
  • Email summaries
  • Learn more