1

I've set up a dynamodb lambda trigger using this documentation. The function successfully triggers when the dynamodb table is updated, and I can view the output just fine.

I want to find the identity of the user that updated the dynamodb table but this info doesn't seem to be included in the event. How can I accomplish this?

The event looks like this:

{
"Records": [
    {
        "eventID": "1725dad5b286b22b02cffc28e5006437",
        "eventName": "INSERT",
        "eventVersion": "1.1",
        "eventSource": "aws:dynamodb",
        "awsRegion": "us-west-2",
        "dynamodb": {
            "ApproximateCreationDateTime": 1607759729,
            "Keys": {
                "receiver": {
                    "S": "c2217b13-12e8-42a4-a1ab-627f764493c9"
                },
                "sender": {
                    "S": "6fad5bc8-a389-4d73-b171-e709d5d8bdd8"
                }
            },
            "NewImage": {
                "createdAt": {
                    "S": "2020-12-12T07:55:29.105Z"
                },
                "receiver": {
                    "S": "c2217b13-12e8-42a4-a1ab-627f764493c9"
                },
                "sender": {
                    "S": "6fad5bc8-a389-4d73-b171-e709d5d8bdd8"
                },
                "__typename": {
                    "S": "FriendRequest"
                },
                "updatedAt": {
                    "S": "2020-12-12T07:55:29.105Z"
                }
            },
            "SequenceNumber": "4092400000000003379896405",
            "SizeBytes": 261,
            "StreamViewType": "NEW_AND_OLD_IMAGES"
        },
        "eventSourceARN": "arn:aws:dynamodb:us-west-2:213277979580:table/FriendRequest-rmzuppsajfhzlfgjehczargowa-apisecure/stream/2020-12-11T07:48:02.462"
    }
]

}

Sean
  • 107
  • 7
  • 1
    Why do you need the user identity? And is the ddb record created by a user using the ddb console or aws cli? Or by some back end application? – Sarthak Jain Dec 12 '20 at 08:56
  • A front-end application is used to update the dynamodb. For security purposes I was hoping to make a lambda function to verify the user making the update. Since that doesn't seem possible I'll try adding a user id field to the dynamodb item that gets autofilled somehow. – Sean Dec 13 '20 at 05:45

2 Answers2

0

DynamoDB does not provide the ID of the user that did write the record. The only way you can achieve this is to have the user id be part of the DynamoDB item in the first place. But that means your application needs to identify the user and write that attribute.

But this obviously will not work, if the item is inserted using the AWS Console. In that case your user would need to insert his own ID (or the ID of another user) by hand.

Jens
  • 20,533
  • 11
  • 60
  • 86
0

We have a similar scenario in which we would like to track who (user) or what (service) made the last update to a record. first our arch looks like:

User/Service changes -> API Lambda -> DynamoDB Stream -> Lambda (normalizes stream data) -> Service Event SNS Topic

All services or functions that care about changes are attached to the SNS topic NOT the stream.

This works fine with insert/update, we have a internal use field in which we keep this data, it is not returned via the CRUD API's. something like: updated_by: app:service:region:user/1

When we get the record we know that this item was updated by user with id 1. so when we create the sns topic, we add a message attribute with this value.

Deletion is a bit more tricky since you can't really update and delete an item at the exact same time. how we do this currently is to generate a delete event manually on deletion so instead of relying on the stream, we async the lambda function and pass along the user/service data.

User/Service changes -> API Lambda -> Lambda (normalizes stream data) -> Service Event SNS Topic

Steffan Perry
  • 2,112
  • 1
  • 21
  • 21