Conditional append
Every write is a PutItem with attribute_not_exists(SK). No overwrite path exists in the API.
Tamper-evident audit trail · Amazon DynamoDB
Audit logs that prove they weren't altered
A drop-in API for regulated SaaS - HIPAA, SOC2, SEC 17a-4. Append-only writes, SHA-256 hash chains, and WORM checkpoints that catch tampering even when someone has database admin access.
“Immutability isn't a rule we follow - it's a permission we don't have.”
Three enforced layers
Least-privilege IAM
The app role has PutItem and Query only - no UpdateItem, no DeleteItem. Immutability is a permission you don't have.
WORM checkpoints
DynamoDB Streams → Lambda → S3 Object Lock. Merkle roots are sealed in COMPLIANCE mode and cannot be altered.
Architecture
Single-table DynamoDB design with partition-per-tenant isolation. The demo console verifies hash chains live and cross-checks against immutable S3 checkpoints.
Next.js API
Append · Query · Verify
DynamoDB
Hash-chained events
Streams
NEW_IMAGE feed
Lambda
Merkle seal
S3 Object Lock
WORM proof
The demo moment
Edit a row. Watch it get caught.
Open the audit console, verify a clean chain, then tamper with a historical event in the DynamoDB console. Click Verify Chain - the system pinpoints the broken link and shows the live Merkle root diverging from the WORM checkpoint.
Console features
- Multi-tenant hash chain visualization
- Live verify with WORM cross-check
- Append events with flagged alerts
- Compliance report export