(aws-cdk/aws-cloudtrail): Support DynamoDB as a DataResourceType in CloudTrail

[Parker-Ledoux]

About two months ago, AWS CloudTrail officially announced support for audit logging and monitoring of DynamoDb. More information about that here.
Today the aws-cdk only supports S3 and Lambda as data resource types and it would be super useful to be able to use cdk to construct our CloudTrail trails for DynamoDB as well.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[TheRealAmazonKendra]

This is currently blocked by another issue. We will update here when it is unblocked and reopen @peterwoodworth's pr.

[cowsandmilk]

Is there an update on this?

[issakr]

any update please

[scott-korin]

Any update?

[lurumad]

Any update on this?

Is there any workaround at that moment?

[peterwoodworth]

We're still blocked on implementing l2 support. You'll need to use L1s, or implement escape hatches to use this feature in the meantime

[holomekc]

An example in Java via escape hatches.

final List<String> tableArns = dbStack.getTableArns();

final CfnTrail cfnTrail = (CfnTrail) trail.getNode().getDefaultChild();

final CfnTrail.DataResourceProperty dataResource =
        CfnTrail.DataResourceProperty.builder().type("AWS::DynamoDB::Table").values(tableArns).build();
final CfnTrail.EventSelectorProperty selector =
        CfnTrail.EventSelectorProperty.builder().dataResources(List.of(dataResource))
                .includeManagementEvents(false).readWriteType("All").build();

cfnTrail.setEventSelectors(List.of(selector));

Other languages regarding escape hatches here: https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html

[eiva]

Any progress on this?

[matthiasbruns]

same here - tried to setup cloudtrail with dynamo, but still no support

	trail := awscloudtrail.NewTrail(
		scope,
		jsii.String(fmt.Sprintf(trailName)),
		&awscloudtrail.TrailProps{
			TrailName:                  jsii.String(trailName),
			Bucket:                     trailBucket,
			IsMultiRegionTrail:         jsii.Bool(true),
			IncludeGlobalServiceEvents: jsii.Bool(true),
		},
	)

	trailDataSource := &awscloudtrail.CfnTrail_DataResourceProperty{
		Type: jsii.String("AWS::DynamoDB::Table"),
		Values: &[]*string{
			props.DB.TableArn(),
		},
	}

	trailDataSelector := awscloudtrail.CfnTrail_EventSelectorProperty{
		DataResources:           trailDataSource,
		IncludeManagementEvents: jsii.Bool(false),
		ReadWriteType:           jsii.String(string(awscloudtrail.ReadWriteType_WRITE_ONLY)),
	}

	trail.Node().DefaultChild().(awscloudtrail.CfnTrail).SetEventSelectors([]interface{}{trailDataSelector})

the version in Go, in the meantime

[gshpychka]

@peterwoodworth could you clarify what's blocking you? Seems straightforward to implement on the surface

[peterwoodworth]

Hey Glib, I'm not sure we can get into the specifics here, however I am still keeping tabs on this and will push to merge this feature once we're able to.

Just a heads up, I'm not with the CDK team anymore (however am still with Amazon). It was very pleasant working with you here 🙂

[dparish]

In case someone else needs this:

Here is how I was able to get this to work with Typescript and the CDK. Thank you to @holomekc for the inspiration on how to do this.

    const dynamoTrail = new Trail(this, 'some-trail', {
      trailName: 'some-trail',
    });

    const cfnTrail = dynamoTrail.node.defaultChild as CfnTrail;
    cfnTrail.eventSelectors = [
      {
        dataResources: [
          {
            type: 'AWS::DynamoDB::Table',
            values: [mytable.tableArn],
          },
        ],
        includeManagementEvents: false,
        readWriteType: 'All',
      },
    ];