AWS amazondynamodb documentation change
Summary
Added warning about potential unexpected CloudTrail charges when logging GetRecords data events from DynamoDB internal operations, with guidance on how to avoid these charges
Security assessment
This change addresses billing/cost concerns rather than security issues. It warns about charges from CloudTrail logging of internal DynamoDB operations and provides filtering options to avoid them. While logging can be security-related, this specific change focuses on cost optimization, not security vulnerabilities or security feature documentation.
Diff
diff --git a/amazondynamodb/latest/developerguide/logging-using-cloudtrail.md b/amazondynamodb/latest/developerguide/logging-using-cloudtrail.md index a1cba7482..f940a69d3 100644 --- a//amazondynamodb/latest/developerguide/logging-using-cloudtrail.md +++ b//amazondynamodb/latest/developerguide/logging-using-cloudtrail.md @@ -209,0 +210,15 @@ DynamoDB Time to Live data plane actions are not logged by CloudTrail +###### Important + +When you log `GetRecords` data events, you might see `GetRecords` calls from DynamoDB internal operations, such as global tables replication. Although you are not charged by DynamoDB for these `GetRecords` calls, you are charged by CloudTrail for the data event logs. This might result in unexpected CloudTrail charges. + +To avoid unexpected CloudTrail charges, do one of the following: + + * Use the **Exclude AWS service-initiated events** log selector template. + + * Add an advanced event selector filter with `userIdentity.arn` set to `NotStartsWith` `AWSServiceRoleFor`. + + + + +For more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the AWS CloudTrail User Guide. +