AWS Dynamo DB¶
About¶
Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. DynamoDB offers built-in security, continuous backups, automated multi-Region replication, in-memory caching, and data import and export tools.
Product Details¶
Vendor URL: AWS Dynamo DB
Product Type: Database
Product Tier: Tier III
Integration Method: Custom
Integration URL: AWS Dynamo DB Logging
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: AWS_DYNAMO_DB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| access_granted | additional.fields |
| AMAZON_WEB_SERVICES | target.asset.attribute.cloud.environment |
| AWS | metadata.vendor_name |
| AWS Dynamo DB | metadata.product_name |
| record.awsRegion | target.location.name |
| record.dynamodb.Keys.user_name.S | principal.user.userid |
| record.dynamodb.NewImage.access_granted.S | security_result.action_details |
| record.dynamodb.NewImage.db_host.S | target.hostname |
| record.dynamodb.NewImage.environment.S | target.cloud.availability_zone |
| record.dynamodb.NewImage.rejected_reason.S | security_result.description |
| record.dynamodb.NewImage.request_type.S | metadata.description |
| record.dynamodb.NewImage.service_name.S | target.application |
| record.dynamodb.NewImage.summary.S | security_result.summary |
| record.dynamodb.NewImage.temp_db_user.S | security_result.about.user.userid |
| record.eventID | metadata.product_log_id |
| record.eventName | metadata.product_event_type |
| record.eventSource | target.resource.resource_subtype |
| record.eventSourceARN | target.resource.id |
| record.eventVersion | metadata.product_version |
| status | additional.fields |
Product Event Types¶
| eventName | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| INSERT | USER_RESOURCE_UPDATE_CONTENT |
| MODIFY | USER_RESOURCE_UPDATE_CONTENT |
Log Sample¶
{"Records": [{"eventID": "eventid", "eventName": "INSERT", "eventVersion": "1.1", "eventSource": "aws:dynamodb", "awsRegion": "region", "dynamodb": {"ApproximateCreationDateTime": 1682484012.0, "Keys": {"request_time": {"S": "2023-04-26 04:40:11"}, "user_name": {"S": "user1"}}, "NewImage": {"summary": {"S": "summary1"}, "country": {"S": "in"}, "environment": {"S": "zone1"}, "request_time": {"S": "2023-04-26 04:40:11"}, "request_type": {"S": "breakglass"}, "service_name": {"S": "app1"}, "user_name": {"S": "user1"}}, "SequenceNumber": "sequencenumber", "SizeBytes": 209, "StreamViewType": "NEW_IMAGE"}, "eventSourceARN": "arn1"}]}
Sample Parsing¶
metadata.description = "breakglass"
metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
metadata.log_type = "AWS_DYNAMO_DB"
metadata.product_event_type = "INSERT"
metadata.product_log_id = "eventid"
metadata.product_name = "AWS Dynamo DB"
metadata.product_version = "1.1"
metadata.vendor_name = "AWS"
principal.user.attribute.labels.key = "signInName"
principal.user.attribute.labels.value = "user1@domain"
principal.user.attribute.labels.key = "orgUnitPath"
principal.user.attribute.labels.value = "Services & APIs"
principal.user.attribute.labels.key = "changePasswordAtNextLogin"
principal.user.attribute.labels.value = "False"
principal.user.attribute.labels.key = "isMailboxSetup"
principal.user.attribute.labels.value = "True"
principal.user.attribute.labels.key = "isEnrolledIn2Sv"
principal.user.attribute.labels.value = "False"
principal.user.attribute.labels.key = "isEnforcedIn2Sv"
principal.user.attribute.labels.value = "False"
principal.user.attribute.labels.key = "includeInGlobalAddressList"
principal.user.attribute.labels.value = "True"
principal.user.attribute.labels.key = "kind"
principal.user.attribute.labels.value = "admin#directory#user"
principal.user.attribute.roles.name = "Services & APIs"
principal.user.department = "dept1"
principal.user.department = "dept2"
principal.user.email_addresses = "user1@domain"
principal.user.first_name = "John"
principal.user.last_name = "Doe"
principal.user.product_object_id = "obj"
principal.user.title = "usertitle"
principal.user.user_authentication_status = "ACTIVE"
principal.user.user_display_name = "John Doe"
principal.user.userid = "user1"
security_result.summary = "summary1"
target.application = "app1"
target.asset.attribute.cloud.environment = "AMAZON_WEB_SERVICES"
target.cloud.availability_zone = "zone1"
target.location.name = "region"
target.resource.id = "arn1"
target.resource.resource_subtype = "aws:dynamodb"
Rules¶
Coming Soon