legitimate users may scan dynamodb tables for various reasons, such as data analysis or application functionality. ensure that the user has the necessary permissions and that the scan operation is authorized before taking action.

T1530
t1567
aws
elastic

Techniques

T1530
T1567

Sample rules

AWS DynamoDB Scan by Unusual User

source: elastic
technicques:
- T1530
- T1567

Description

Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the aws.cloudtrail.user_identity.arn for the first time in the last 14 days.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "dynamodb.amazonaws.com"
    and event.action: "Scan"
    and event.outcome: "success"