Database Connector

DynamoDB Connector

Connect DB Audit to Amazon DynamoDB for comprehensive API monitoring, IAM user tracking, and compliance reporting via native CloudTrail integration.

Native Deep Integration

CloudTrail Native

Direct integration with AWS CloudTrail

IAM Identity Context

Full user/role attribution

Zero Performance Impact

AWS-side logging only

What You Can Monitor

API Activity Monitoring

Track every DynamoDB API call including GetItem, PutItem, Query, Scan, and batch operations.

IAM User Tracking

Monitor which IAM users and roles are accessing your tables with full identity context.

Table Change Detection

Detect and alert on table creation, deletion, and configuration changes in real-time.

Access Pattern Analysis

Analyze read/write patterns to identify unusual access or potential data exfiltration.

Requirements

AWS Account Active AWS account with DynamoDB tables
CloudTrail CloudTrail enabled for DynamoDB data events
Authentication IAM user or role with read permissions
Required Permissions dynamodb:DescribeTable, logs:FilterLogEvents

Configuration Reference

AWS Connection

Field Type Required Description
name string Yes A unique name to identify this connection
region string Yes AWS region where tables are located (e.g., us-east-1)
table_names array No Specific tables to monitor (empty for all tables)
access_key_id string Yes AWS IAM access key ID
secret_access_key password Yes AWS IAM secret access key (stored encrypted)
session_token password No Session token for temporary credentials

IAM Role Assumption (Cross-Account)

Field Type Default Description
assume_role_arn string - ARN of IAM role to assume for cross-account access
external_id string - External ID for role assumption (recommended for security)
role_session_name string dbaudit Session name for assumed role

Log Collection

Field Type Default Description
log_collection_type select cloudtrail Method for collecting audit logs
cloudtrail_name string - CloudTrail trail name for data events
polling_interval number 60 Seconds between log collection polls
enable_streams boolean false Also monitor DynamoDB Streams for item changes

Log Collection Methods

DB Audit supports multiple methods for collecting activity logs from Amazon DynamoDB.

CloudTrail Data Events

Recommended

Collect DynamoDB API activity from CloudTrail for comprehensive request-level auditing.

All API calls captured
IAM identity included
Request/response details
Cross-region visibility

DynamoDB Streams

Monitor item-level changes in real-time using DynamoDB Streams.

Real-time item changes
Before/after images
Per-table granularity
Low latency
1

Create IAM Policy

Create an IAM policy with read-only access to DynamoDB and CloudTrail for audit collection. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DynamoDBAuditRead",
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "dynamodb:DescribeStream",
                "dynamodb:GetShardIterator",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudTrailRead",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:LookupEvents",
                "logs:FilterLogEvents",
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3CloudTrailRead",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::your-cloudtrail-bucket",
                "arn:aws:s3:::your-cloudtrail-bucket/*"
            ]
        }
    ]
}
Security Best Practice

Use IAM roles with temporary credentials instead of long-term access keys. For cross-account access, use role assumption with an external ID.

2

Enable CloudTrail Data Events

Configure CloudTrail to capture DynamoDB data events for comprehensive API auditing. 

# Enable CloudTrail data events for DynamoDB via AWS CLI

# Create a trail with data event logging
aws cloudtrail create-trail \
  --name dynamodb-audit-trail \
  --s3-bucket-name your-cloudtrail-bucket \
  --is-multi-region-trail

# Enable DynamoDB data events
aws cloudtrail put-event-selectors \
  --trail-name dynamodb-audit-trail \
  --event-selectors '[
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [
        {
          "Type": "AWS::DynamoDB::Table",
          "Values": ["arn:aws:dynamodb"]
        }
      ]
    }
  ]'

# Start logging
aws cloudtrail start-logging --name dynamodb-audit-trail

# Verify trail status
aws cloudtrail describe-trails --trail-name-list dynamodb-audit-trail
Cost Note

CloudTrail data events incur additional AWS charges. Consider filtering to specific high-value tables in production environments.

3

Configure DB Audit Collector

Add your DynamoDB connection to the DB Audit configuration. 

databases:
  - name: production-dynamodb
    type: dynamodb
    region: us-east-1

    # Authentication (use IAM role in production)
    access_key_id: ${AWS_ACCESS_KEY_ID}
    secret_access_key: ${AWS_SECRET_ACCESS_KEY}

    # Optional: Assume role for cross-account access
    # assume_role_arn: arn:aws:iam::123456789012:role/DBAuditRole
    # external_id: your-external-id

    # Tables to monitor (empty for all)
    table_names:
      - users
      - orders
      - transactions

    # Log collection settings
    log_collection:
      type: cloudtrail
      cloudtrail_name: dynamodb-audit-trail
      polling_interval: 60

    # Optional: Also enable Streams for item changes
    options:
      enable_streams: true
      track_item_changes: true
4

Test Connection

Verify your AWS credentials and CloudTrail configuration. 

# Verify IAM permissions
aws dynamodb list-tables --region us-east-1

# Check CloudTrail is logging
aws cloudtrail get-trail-status --name dynamodb-audit-trail

# Test CloudTrail event lookup
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventSource,AttributeValue=dynamodb.amazonaws.com \
  --max-results 5

# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yaml

Compliance Support

DB Audit's DynamoDB connector helps you meet audit requirements for major compliance frameworks.

SOC 2
Access logging
HIPAA
PHI access audit
PCI DSS
Cardholder data
GDPR
Data access rights

Troubleshooting

AccessDeniedException

Verify that your IAM user/role has the required permissions. Check that the policy is attached and there are no SCPs blocking access.

No CloudTrail events found

Confirm CloudTrail is logging DynamoDB data events. Check that the trail is started and data events are enabled for DynamoDB tables.

Cross-account access denied

Verify the trust policy on the target role allows your account. Check that the external ID matches if configured.

Next Steps

Configure Alerts & Rules
View All Database Connectors

Ready to Audit Your DynamoDB Tables?

Start monitoring your DynamoDB tables in minutes with native CloudTrail integration.

Start Free Trial Contact Sales