Profile Applicability:
- Level 1
Description:
DynamoDB Streams capture changes to DynamoDB tables in real-time and can trigger AWS Lambda functions to perform compliance checks. Enabling this feature ensures that updates to the database are automatically monitored and that necessary compliance actions are performed, helping maintain the integrity and security of the database.
Rationale:
By enabling DynamoDB Streams and AWS Lambda, you ensure that all updates to your DynamoDB tables are automatically tracked, processed, and checked for compliance. This allows for continuous monitoring and ensures that your database operations adhere to security and compliance policies, reducing the risk of non-compliance.
Impact:
Without DynamoDB Streams and Lambda integration, there is no automated way to track and ensure that changes to the DynamoDB tables comply with required security or compliance policies. This increases the risk of non-compliance and manual errors in monitoring.
Default Value:
By default, DynamoDB Streams and AWS Lambda for automated compliance checking are not enabled.
Pre-requisites:
AWS DynamoDB tables in use
AWS Lambda function created for compliance checking
Permissions to enable DynamoDB Streams and configure Lambda functions
Remediation
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to DynamoDB > Tables and select the desired table.
Under the Exports and Streams tab, verify that DynamoDB Streams are enabled.
Go to Lambda > Functions and verify that the appropriate Lambda function is created and associated with the DynamoDB Stream.
Ensure that the Lambda function is configured to trigger on DynamoDB Stream events and performs the necessary compliance checks.
Using AWS CLI:
Run enabled in the output.
aws dynamodb describe-table --table-name <table-name> and verify that StreamSpecification
Run to confirm the existence of the compliance Lambda function.
aws lambda list-functions
Verify that the Lambda function is linked to DynamoDB Streams by checking the function's event source mappings using:
aws lambda list-event-source-mappings --function-name <lambda-function-name>
Implementation Plan
Using AWS Console:
Go to DynamoDB > Tables in the AWS Management Console.
Select the table you wish to monitor and click Manage Stream.
Enable DynamoDB Streams by selecting the desired stream view
Navigate to Lambda > Functions and create a Lambda function if one doesn’t already exist.
Ensure that the Lambda function has the necessary permissions to read from DynamoDB Streams and perform compliance checking.
Associate the Lambda function with the DynamoDB Stream via Lambda > Event Sources and configure it to process changes from the stream.
Using AWS CLI:
Enable DynamoDB Streams:
aws dynamodb update-table --table-name <table-name> --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
Create the Lambda function if needed:
aws lambda create-function --function-name <lambda-function-name> --runtime nodejs14.x --role <role-arn> --handler index.handler --zip-file fileb://function.zip
Link the Lambda function to DynamoDB Stream:
aws lambda create-event-source-mapping --function-name <lambda-function-name> --event-source-arn arn:aws:dynamodb:<region>:<account-id>:table/<table-name>/stream/<stream-id> --starting-position TRIM_HORIZON
Backout Plan
Using AWS Console:
Navigate to DynamoDB > Tables and select the appropriate table.
Disable DynamoDB Streams by choosing Manage Stream and selecting "Disabled."
Navigate to Lambda > Functions and remove the event source mapping linking the function to DynamoDB Streams.
Optionally, delete the Lambda function if no longer needed.
Using AWS CLI:
Disable DynamoDB Streams:
aws dynamodb update-table --table-name <table-name> --stream-specification StreamEnabled=false
Remove event source mapping:
aws lambda delete-event-source-mapping --uuid <mapping-uuid>
Optionally, delete the Lambda function:
aws lambda delete-function --function-name <lambda-function-name>