There are two types of events for DynamoDB: Management and Data events. Management events are things like creating/deleting a DynamoDB table, creating/deleting DynamoDB backups, or modifying a table’s settings. These events are captured by default when you have CloudTrail enabled (and for all tables in the account).
Data events capture events like adding, updating or deleting items to a DynamoDB table. CloudTrail can log data events but it is not enabled by default, as it can become expensive to monitor depending on how active a table is. You can also selectively enable data events monitoring on specific DynamoDB tables only (or on all tables in the account/region).
I would recommend enabling data events on tables that might host some sensitive data and you can create some alarms/reports based on things like access from suspicious IPs or anomalous access.
More details can be found here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html
You can use the following template for configuring CloudTrail and CloudTrail DynamoDB event logging:
https://asecure.cloud/a/CloudTrail/
https://asecure.cloud/a/CloudTrail_DataEventsDynamoDB/
Hope this helps!
