Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Log DynamoDB Changes using Kinesis Data Streams

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon DynamoDB tables are configured to use Kinesis Data Streams in order to capture item-level modifications within your DynamoDB tables.

Security

Amazon Kinesis Data Streams for DynamoDB continuously monitors your DynamoDB tables for any changes to individual items. It then seamlessly streams these real-time updates to a Kinesis data stream, enabling you to seamlessly receive and manage the change information within your applications.

Audit

To determine if Amazon Kinesis Data Streams for DynamoDB is enabled for your DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to examine.

05 Select the Exports and streams tab to access the export jobs settings available for the selected table.

06 In the Amazon Kinesis data stream details section, check the Status value to determine the feature status. If Status is set to Off, Amazon Kinesis Data Streams for DynamoDB is not enabled for the selected DynamoDB table.

07 Repeat steps no. 4 – 6 for each Amazon DynamoDB table available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-tables command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon DynamoDB table created in the selected AWS cloud region: 

aws dynamodb list-tables
  --region us-east-1
  --output table
  --query 'TableNames'

02 The command output should return a table with the requested table name(s): 

--------------------------
|       ListTables       |
+------------------------+
|  cc-product-reviews    |
|  cc-product-inventory  |
+------------------------+

03 Run describe-kinesis-streaming-destination command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to examine as the identifier parameter and custom query filters to describe the replication status for the Amazon Kinesis Data Streams for DynamoDB feature: 

aws dynamodb describe-kinesis-streaming-destination
  --region us-east-1
  --table-name cc-product-reviews 
  --query 'KinesisDataStreamDestinations[*].DestinationStatus'

04 The command output should the requested status information: 

[
	"DISABLED"
]

If the describe-kinesis-streaming-destination command output returns an empty array (i.e. []) or "DISABLED", as shown in the output example above, Amazon Kinesis Data Streams for DynamoDB is not enabled for the selected DynamoDB table.

05 Repeat steps no. 3 and 4 for each DynamoDB table available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable and configure Amazon Kinesis Data Streams for your DynamoDB tables, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DynamoDB console available at https://console.aws.amazon.com/dynamodbv2/.

03 In the main navigation panel, under Dashboard, choose Tables.

04 Click on the name (link) of the Amazon DynamoDB table that you want to configure.

05 Select the Exports and streams tab to access the export jobs settings available for the selected table.

06 Choose Turn on from the Amazon Kinesis data stream details section to initiate the setup process.

07 In the Stream details configuration section, perform the following operations:

  1. Select an existing Kinesis Data Stream from the Destination Kinesis data stream dropdown list.
  2. To create a new Kinesis Data Stream for the destination stream, choose Create new, provide a name for the new stream, select the suitable capacity mode (the stream must have sufficient capacity to accommodate streaming from the selected table), and choose Create data stream to create the required destination stream. The stream must be in the same AWS account and region as the selected DynamoDB table. Go back to the feature setup page, click on the Refresh button and select the new stream from Destination Kinesis data stream.
  3. Choose Turn on stream to enable the DynamoDB feature.

08 Repeat steps no. 4 – 7 for each Amazon DynamoDB table that you want to configure, available in the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-stream command (OSX/Linux/UNIX) to create a new Kinesis Data Stream for the destination stream. The stream must be in the same AWS account and region as your DynamoDB table and must have sufficient capacity to accommodate streaming from the table (the command does not produce an output): 

aws kinesis create-stream 
  --region us-east-1 
  --stream-name cc-dynamodb-logging-stream 
  --shard-count 3

02 Run describe-stream command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of the Kinesis Data Stream created at the previous step: 

aws kinesis describe-stream 
  --stream-name cc-dynamodb-logging-stream 
  --query 'StreamDescription.StreamARN'

03 The command output should the ARN of the destination stream: 

"arn:aws:kinesis:us-east-1:123456789012:stream/cc-dynamodb-logging-stream"

04 Run enable-kinesis-streaming-destination command (OSX/Linux/UNIX) using the name of the Amazon DynamoDB table that you want to configure as the identifier parameter, to enable Amazon Kinesis Data Streams for the selected DynamoDB table: 

aws dynamodb enable-kinesis-streaming-destination 
  --table-name cc-product-reviews 
  --stream-arn arn:aws:kinesis:us-east-1:123456789012:stream/cc-dynamodb-logging-stream

05 The command output should return the feature configuration information: 

{
	"TableName": "cc-product-reviews",
	"StreamArn": "arn:aws:kinesis:us-east-1:123456789012:stream/cc-dynamodb-logging-stream",
	"DestinationStatus": "ENABLING"
}

06 Repeat steps no. 4 and 5 for each Amazon DynamoDB table that you want to configure, available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jan 11, 2024

Related DynamoDB rules