AWS Security ChangesHomeSearch

AWS amazondynamodb documentation change

Service: amazondynamodb · 2026-03-22 · Documentation low

File: amazondynamodb/latest/developerguide/logging-using-cloudtrail.md

Summary

Added warning about potential unexpected CloudTrail charges when logging GetRecords data events from DynamoDB internal operations, with guidance on how to avoid these charges

Security assessment

This change addresses billing/cost concerns rather than security issues. It warns about charges from CloudTrail logging of internal DynamoDB operations and provides filtering options to avoid them. While logging can be security-related, this specific change focuses on cost optimization, not security vulnerabilities or security feature documentation.

Diff

diff --git a/amazondynamodb/latest/developerguide/logging-using-cloudtrail.md b/amazondynamodb/latest/developerguide/logging-using-cloudtrail.md
index a1cba7482..f940a69d3 100644
--- a//amazondynamodb/latest/developerguide/logging-using-cloudtrail.md
+++ b//amazondynamodb/latest/developerguide/logging-using-cloudtrail.md
@@ -209,0 +210,15 @@ DynamoDB Time to Live data plane actions are not logged by CloudTrail
+###### Important
+
+When you log `GetRecords` data events, you might see `GetRecords` calls from DynamoDB internal operations, such as global tables replication. Although you are not charged by DynamoDB for these `GetRecords` calls, you are charged by CloudTrail for the data event logs. This might result in unexpected CloudTrail charges.
+
+To avoid unexpected CloudTrail charges, do one of the following:
+
+  * Use the **Exclude AWS service-initiated events** log selector template.
+
+  * Add an advanced event selector filter with `userIdentity.arn` set to `NotStartsWith` `AWSServiceRoleFor`.
+
+
+
+
+For more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the AWS CloudTrail User Guide.
+