Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration to enable AWS CloudTrail in an AWS account for logging DynamoDB Data Events. Data Events for Amazon DynamoDB record object-level API activity (for example, Query, PuItem, Scan, DeleteItem, GetItem, etc.)
Configuration templates also include the following:
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CloudTrail:
Type: 'AWS::CloudTrail::Trail'
Properties:
TrailName: GlobalS3DataEventsTrail
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- DataResources:
- Type: 'AWS::DynamoDB::Table'
Values:
- 'arn:aws:dynamodb'
ReadWriteType: All
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: S3BucketForCloudTrailCloudTrail
DependsOn: S3BucketPolicy
S3BucketForCloudTrailCloudTrail:
Type: 'AWS::S3::Bucket'
Properties: {}
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket:
Ref: S3BucketForCloudTrailCloudTrail
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
Action: 's3:GetBucketAcl'
Resource:
'Fn::GetAtt':
- S3BucketForCloudTrailCloudTrail
- Arn
- Sid: ' AWSConfigBucketDelivery'
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
Action: 's3:PutObject'
Resource:
'Fn::Join':
- ''
- - 'Fn::GetAtt':
- S3BucketForCloudTrailCloudTrail
- Arn
- /AWSLogs/*
Condition:
StringEquals:
's3:x-amz-acl': bucket-owner-full-control
Parameters: {}
Metadata: {}
Conditions: {}