DynamoDB detective security best practices

If you are using an Amazon managed key for encryption at rest, usage of this key is logged into Amazon CloudTrail. CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the Amazon service. This information helps you track changes made to your Amazon resources and troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

You can use CloudTrail to audit key usage. CloudTrail creates log files that contain a history of Amazon API calls and related events for your account. These log files include all Amazon KMS API requests made using the Amazon Web Services Management Console, Amazon SDKs, and command line tools, in addition to those made through integrated Amazon services. You can use these log files to get information about when the KMS key was used, the operation that was requested, the identity of the requester, the IP address that the request came from, and so on. For more information, see Logging Amazon KMS API Calls with Amazon CloudTrail and the Amazon CloudTrail User Guide.

CloudTrail can monitor both control plane events and data plane events. Control plane operations let you create and manage DynamoDB tables. They also let you work with indexes, streams, and other objects that are dependent on tables. Data plane operations let you perform create, read, update, and delete (also called CRUD) actions on data in a table. Some data plane operations also let you read data from a secondary index. To enable logging of data plane events in CloudTrail, you'll need to enable logging of data plane API activity in CloudTrail. See Logging data events for trails for more information.

When activity occurs in DynamoDB, that activity is recorded in a CloudTrail event along with other Amazon service events in the event history. For more information, see Logging DynamoDB Operations by Using Amazon CloudTrail. You can view, search, and download recent events in your Amazon account. For more information, see Viewing Events with CloudTrail Event History in the Amazon CloudTrail User Guide.

For an ongoing record of events in your Amazon account, including events for DynamoDB, create a trail. A trail enables CloudTrail to deliver log files to an Amazon Simple Storage Service (Amazon S3) bucket. By default, when you create a trail on the console, the trail applies to all Amazon Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs.

DynamoDB is integrated with Amazon Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams. With triggers, you can build applications that react to data modifications in DynamoDB tables.

If you enable DynamoDB Streams on a table, you can associate the stream Amazon Resource Name (ARN) with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table's stream. Amazon Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records. The Lambda function can perform any actions that you specify, such as sending a notification or initiating a workflow.

For an example, see Tutorial: Using Amazon Lambda with Amazon DynamoDB Streams. This example receives a DynamoDB event input, processes the messages that it contains, and writes some of the incoming event data to Amazon CloudWatch Logs.

Using Amazon Config, you can continuously monitor and record configuration changes of your Amazon resources. You can also use Amazon Config to inventory your Amazon resources. When a change from a previous state is detected, an Amazon Simple Notification Service (Amazon SNS) notification can be delivered for you to review and take action. Follow the guidance in Setting Up Amazon Config with the Console, ensuring that DynamoDB resource types are included.

You can configure Amazon Config to stream configuration changes and notifications to an Amazon SNS topic. For example, when a resource is updated, you can get a notification sent to your email, so that you can view the changes. You can also be notified when Amazon Config evaluates your custom or managed rules against your resources.

For an example, see Notifications that Amazon Config Sends to an Amazon SNS topic in the Amazon Config Developer Guide.

Amazon Config continuously tracks the configuration changes that occur among your resources. It checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, Amazon Config flags the resource and the rule as noncompliant.

By using Amazon Config to evaluate your resource configurations, you can assess how well your resource configurations comply with internal practices, industry guidelines, and regulations. Amazon Config provides Amazon managed rules, which are predefined, customizable rules that Amazon Config uses to evaluate whether your Amazon resources comply with common best practices.

You can assign metadata to your Amazon resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for, and filter resources.

Tagging allows for grouped controls to be implemented. Although there are no inherent types of tags, they enable you to categorize resources by purpose, owner, environment, or other criteria. The following are some examples:

For more information, see Amazon Tagging Strategies and Tagging for DynamoDB.

Security Hub uses security controls to evaluate resource configurations and security standards to help you comply with various compliance frameworks.

For more information about using Security Hub to evaluate DynamoDB resources, see Amazon DynamoDB controls in the Amazon Security Hub User Guide.