Skip to content

AWS Dynamo DB

AWS Dynamo DB

About

Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. DynamoDB offers built-in security, continuous backups, automated multi-Region replication, in-memory caching, and data import and export tools.

Product Details

Vendor URL: AWS Dynamo DB

Product Type: Database

Product Tier: Tier III

Integration Method: Custom

Integration URL: AWS Dynamo DB Logging

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: 90%

Data Label: AWS_DYNAMO_DB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
access_granted additional.fields
AMAZON_WEB_SERVICES target.asset.attribute.cloud.environment
AWS metadata.vendor_name
AWS Dynamo DB metadata.product_name
record.awsRegion target.location.name
record.dynamodb.Keys.user_name.S principal.user.userid
record.dynamodb.NewImage.access_granted.S security_result.action_details
record.dynamodb.NewImage.db_host.S target.hostname
record.dynamodb.NewImage.environment.S target.cloud.availability_zone
record.dynamodb.NewImage.rejected_reason.S security_result.description
record.dynamodb.NewImage.request_type.S metadata.description
record.dynamodb.NewImage.service_name.S target.application
record.dynamodb.NewImage.summary.S security_result.summary
record.dynamodb.NewImage.temp_db_user.S security_result.about.user.userid
record.eventID metadata.product_log_id
record.eventName metadata.product_event_type
record.eventSource target.resource.resource_subtype
record.eventSourceARN target.resource.id
record.eventVersion metadata.product_version
status additional.fields

Product Event Types

eventName UDM Event Classification
all others GENERIC_EVENT
INSERT USER_RESOURCE_UPDATE_CONTENT
MODIFY USER_RESOURCE_UPDATE_CONTENT

Log Sample

{"Records": [{"eventID": "eventid", "eventName": "INSERT", "eventVersion": "1.1", "eventSource": "aws:dynamodb", "awsRegion": "region", "dynamodb": {"ApproximateCreationDateTime": 1682484012.0, "Keys": {"request_time": {"S": "2023-04-26 04:40:11"}, "user_name": {"S": "user1"}}, "NewImage": {"summary": {"S": "summary1"}, "country": {"S": "in"}, "environment": {"S": "zone1"}, "request_time": {"S": "2023-04-26 04:40:11"}, "request_type": {"S": "breakglass"}, "service_name": {"S": "app1"}, "user_name": {"S": "user1"}}, "SequenceNumber": "sequencenumber", "SizeBytes": 209, "StreamViewType": "NEW_IMAGE"}, "eventSourceARN": "arn1"}]}

Sample Parsing

metadata.description = "breakglass"
metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
metadata.log_type = "AWS_DYNAMO_DB"
metadata.product_event_type = "INSERT"
metadata.product_log_id = "eventid"
metadata.product_name = "AWS Dynamo DB"
metadata.product_version = "1.1"
metadata.vendor_name = "AWS"
principal.user.attribute.labels.key = "signInName"
principal.user.attribute.labels.value = "user1@domain"
principal.user.attribute.labels.key = "orgUnitPath"
principal.user.attribute.labels.value = "Services & APIs"
principal.user.attribute.labels.key = "changePasswordAtNextLogin"
principal.user.attribute.labels.value = "False"
principal.user.attribute.labels.key = "isMailboxSetup"
principal.user.attribute.labels.value = "True"
principal.user.attribute.labels.key = "isEnrolledIn2Sv"
principal.user.attribute.labels.value = "False"
principal.user.attribute.labels.key = "isEnforcedIn2Sv"
principal.user.attribute.labels.value = "False"
principal.user.attribute.labels.key = "includeInGlobalAddressList"
principal.user.attribute.labels.value = "True"
principal.user.attribute.labels.key = "kind"
principal.user.attribute.labels.value = "admin#directory#user"
principal.user.attribute.roles.name = "Services & APIs"
principal.user.department = "dept1"
principal.user.department = "dept2"
principal.user.email_addresses = "user1@domain"
principal.user.first_name = "John"
principal.user.last_name = "Doe"
principal.user.product_object_id = "obj"
principal.user.title = "usertitle"
principal.user.user_authentication_status = "ACTIVE"
principal.user.user_display_name = "John Doe"
principal.user.userid = "user1"
security_result.summary = "summary1"
target.application = "app1"
target.asset.attribute.cloud.environment = "AMAZON_WEB_SERVICES"
target.cloud.availability_zone = "zone1"
target.location.name = "region"
target.resource.id = "arn1"
target.resource.resource_subtype = "aws:dynamodb"