The security team wants to maintain a record of all GetItem and PutItem operations performed on a DynamoDB table for audit purposes.
What solution can they use to meet this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect because CloudWatch logs are used for storing application logs.
Option B is incorrect because DynamoDB data-plane API operations, such as GetItem and PutItem, are not logged into CloudTrail logs.
Option C is CORRECT because DynamoDB streams record events every time any table item is modified.
AWS Lambda function can be used to process and record these stream records.
Option D is incorrect because AWS Config is a service for tracking and monitoring configuration changes of AWS resources.
Reference:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/best-practices-security-detective.htmlThe security team wants to maintain a record of all GetItem and PutItem operations performed on a DynamoDB table for audit purposes. To meet this requirement, we can use AWS CloudTrail or DynamoDB Streams with AWS Lambda.
CloudTrail is a service that records API calls made to AWS services, including DynamoDB. It provides a history of activity on an AWS account, including details such as who made the request, when the request was made, and what resources were accessed. By enabling CloudTrail for DynamoDB, we can capture all API calls made to the table, including GetItem and PutItem operations. The captured logs can then be stored in an S3 bucket or sent to CloudWatch Logs for analysis.
However, CloudTrail only captures metadata about the API call, such as the user, time, and resource, and not the contents of the request or response. If you need to capture the contents of the requests and responses, you can use DynamoDB Streams with AWS Lambda.
DynamoDB Streams is a feature of DynamoDB that captures a time-ordered sequence of item-level modifications in a table. Whenever an item is added, updated, or deleted in the table, a stream record is generated containing the details of the modification. We can use AWS Lambda to read and process these stream records and record them in a separate table or external system, such as CloudWatch Logs or an external audit system.
To set up this solution, we need to enable DynamoDB Streams for the table and create an AWS Lambda function to read and process the stream records. The Lambda function can be configured to write the records to an S3 bucket, send them to CloudWatch Logs, or insert them into a separate audit table in DynamoDB or a different database. We also need to ensure that the IAM role used by the Lambda function has permission to read from the DynamoDB table and write to the chosen destination.
AWS Config is not the correct answer as it is a service that provides a detailed inventory of the AWS resources in an account and tracks changes to the resources over time, but it does not capture detailed information about API calls made to DynamoDB. Therefore, it does not meet the requirement specified in the question.