By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Logging & Monitoring Configurations

DynamoDB Data Event Logging with CloudTrail

Configuration to enable AWS CloudTrail in an AWS account for logging DynamoDB Data Events. Data Events for Amazon DynamoDB record object-level API activity (for example, Query, PuItem, Scan, DeleteItem, GetItem, etc.)

Configuration templates also include the following:

  • Create a new S3 bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Create a CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 
  • Include Management Events (AWS services' control plane activity) in an AWS Account.
  • Include Data Events for Lambda, DynamoDB, and/or S3 to record data plane operations
  • Additional CloudTrail settings:
    • Log File Validation
    • Log Encryption with KMS
  • Organization Trail: Creates this trail for the whole AWS Organization. When this option is enabled, the configuration should be deployed in the Orgaizations' management account
Items
3
Size
1.7 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  CloudTrail:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      TrailName: "GlobalS3DataEventsTrail"
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - DataResources:
            - Type: "AWS::DynamoDB::Table"
              Values:
                - "arn:aws:dynamodb"
          ReadWriteType: "All"
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: "S3BucketForCloudTrailCloudTrail"
    DependsOn: "S3BucketPolicy"
  S3BucketForCloudTrailCloudTrail:
    Type: "AWS::S3::Bucket"
    Properties: {}
  S3BucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket:
        Ref: "S3BucketForCloudTrailCloudTrail"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: "AWSCloudTrailBucketPermissionsCheck"
            Effect: "Allow"
            Principal:
              Service:
                - "cloudtrail.amazonaws.com"
            Action: "s3:GetBucketAcl"
            Resource:
              Fn::GetAtt:
                - "S3BucketForCloudTrailCloudTrail"
                - "Arn"
          - Sid: " AWSConfigBucketDelivery"
            Effect: "Allow"
            Principal:
              Service:
                - "cloudtrail.amazonaws.com"
            Action: "s3:PutObject"
            Resource:
              Fn::Join:
                - ""
                -
                  - Fn::GetAtt:
                      - "S3BucketForCloudTrailCloudTrail"
                      - "Arn"
                  - "/AWSLogs/*"
            Condition:
              StringEquals:
                s3:x-amz-acl: "bucket-owner-full-control"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Trail Settings

 
 
 

S3 Bucket Settings

CloudWatch Settings

* Required field