Data Source: AWS DynamoDB | Detection.FYI

AWS DynamoDB Scan by Unusual User

Mar 21, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS DynamoDB Resources: Investigation Guide Use Case: Threat Detection Tactic: Exfiltration ·
Share on:

Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the aws.cloudtrail.user_identity.arn for the first time in the last 14 days.

Read More
AWS DynamoDB Table Exported to S3

Mar 21, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS DynamoDB Resources: Investigation Guide Use Case: Threat Detection Tactic: Exfiltration ·
Share on:

Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the aws.cloudtrail.user_identity.arn for the first time in the last 14 days.

Read More