DynamoDB detective security best practices - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

DynamoDB detective security best practices

The following best practices for Amazon DynamoDB can help you detect potential security weaknesses and incidents.

Use Amazon CloudTrail to monitor Amazon managed KMS key usage

If you are using an Amazon managed key for encryption at rest, usage of this key is logged into Amazon CloudTrail. CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the Amazon service. This information helps you track changes made to your Amazon resources and troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

You can use CloudTrail to audit key usage. CloudTrail creates log files that contain a history of Amazon API calls and related events for your account. These log files include all Amazon KMS API requests made using the Amazon Web Services Management Console, Amazon SDKs, and command line tools, in addition to those made through integrated Amazon services. You can use these log files to get information about when the KMS key was used, the operation that was requested, the identity of the requester, the IP address that the request came from, and so on. For more information, see Logging Amazon KMS API Calls with Amazon CloudTrail and the Amazon CloudTrail User Guide.

Monitor DynamoDB operations using CloudTrail

CloudTrail can monitor both control plane events and data plane events. Control plane operations let you create and manage DynamoDB tables. They also let you work with indexes, streams, and other objects that are dependent on tables. Data plane operations let you perform create, read, update, and delete (also called CRUD) actions on data in a table. Some data plane operations also let you read data from a secondary index. To enable logging of data plane events in CloudTrail, you'll need to enable logging of data plane API activity in CloudTrail. See Logging data events for trails for more information.

When activity occurs in DynamoDB, that activity is recorded in a CloudTrail event along with other Amazon service events in the event history. For more information, see Logging DynamoDB Operations by Using Amazon CloudTrail. You can view, search, and download recent events in your Amazon account. For more information, see Viewing Events with CloudTrail Event History in the Amazon CloudTrail User Guide.

For an ongoing record of events in your Amazon account, including events for DynamoDB, create a trail. A trail enables CloudTrail to deliver log files to an Amazon Simple Storage Service (Amazon S3) bucket. By default, when you create a trail on the console, the trail applies to all Amazon Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs.

Use DynamoDB Streams to monitor data plane operations

DynamoDB is integrated with Amazon Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams. With triggers, you can build applications that react to data modifications in DynamoDB tables.

If you enable DynamoDB Streams on a table, you can associate the stream Amazon Resource Name (ARN) with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table's stream. Amazon Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records. The Lambda function can perform any actions that you specify, such as sending a notification or initiating a workflow.

For an example, see Tutorial: Using Amazon Lambda with Amazon DynamoDB Streams. This example receives a DynamoDB event input, processes the messages that it contains, and writes some of the incoming event data to Amazon CloudWatch Logs.

Monitor DynamoDB configuration with Amazon Config

Using Amazon Config, you can continuously monitor and record configuration changes of your Amazon resources. You can also use Amazon Config to inventory your Amazon resources. When a change from a previous state is detected, an Amazon Simple Notification Service (Amazon SNS) notification can be delivered for you to review and take action. Follow the guidance in Setting Up Amazon Config with the Console, ensuring that DynamoDB resource types are included.

You can configure Amazon Config to stream configuration changes and notifications to an Amazon SNS topic. For example, when a resource is updated, you can get a notification sent to your email, so that you can view the changes. You can also be notified when Amazon Config evaluates your custom or managed rules against your resources.

For an example, see Notifications that Amazon Config Sends to an Amazon SNS topic in the Amazon Config Developer Guide.

Monitor DynamoDB compliance with Amazon Config rules

Amazon Config continuously tracks the configuration changes that occur among your resources. It checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, Amazon Config flags the resource and the rule as noncompliant.

By using Amazon Config to evaluate your resource configurations, you can assess how well your resource configurations comply with internal practices, industry guidelines, and regulations. Amazon Config provides Amazon managed rules, which are predefined, customizable rules that Amazon Config uses to evaluate whether your Amazon resources comply with common best practices.

Tag your DynamoDB resources for identification and automation

You can assign metadata to your Amazon resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for, and filter resources.

Tagging allows for grouped controls to be implemented. Although there are no inherent types of tags, they enable you to categorize resources by purpose, owner, environment, or other criteria. The following are some examples:

  • Security – Used to determine requirements such as encryption.

  • Confidentiality – An identifier for the specific data-confidentiality level a resource supports.

  • Environment – Used to distinguish between development, test, and production infrastructure.

For more information, see Amazon Tagging Strategies and Tagging for DynamoDB.