dynamo-db
  1. dynamo-db-fine-grained-access-control
PreviousNext

Fine-grained access control - DynamoDB Access Control and Authentication

DynamoDB access control provides administrators with fine-grained control over user access at the table, index, and attribute level. Access to DynamoDB resources can be controlled through identity and access management (IAM) policies and resource-based policies. In addition, AWS provides a host of authentication options that can be used to authenticate user requests to access DynamoDB.

Syntax

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "dynamodb:BatchGetItem",
               "dynamodb:GetItem",
               "dynamodb:BatchWriteItem",
               "dynamodb:PutItem",
               "dynamodb:Query",
               "dynamodb:Scan",
               "dynamodb:UpdateItem"
           ],
           "Resource": "arn:aws:dynamodb:region:account-id:table/table-name"
       }
   ]
}

Example

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "dynamodb:BatchGetItem",
               "dynamodb:GetItem",
               "dynamodb:BatchWriteItem",
               "dynamodb:PutItem",
               "dynamodb:Query",
               "dynamodb:Scan",
               "dynamodb:UpdateItem"
           ],
           "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/my-dynamodb-table"
       },
       {
           "Effect": "Deny",
           "Action": [
               "dynamodb:PutItem",
               "dynamodb:UpdateItem"
           ],
           "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/my-dynamodb-table",
           "Condition": {
               "ForAllValues:StringEquals": {
                   "dynamodb:LeadingKeys": [
                       "user1",
                       "user2"
                   ]
               }
           }
       }
   ]
}

Output

This policy allows all DynamoDB operations on my-dynamodb-table except for PutItem and UpdateItem when the items have a leading key of user1 or user2.

Explanation

Fine-grained access control allows you to control user access at the table, index, and attribute level. You can use IAM policies and resource-based policies to restrict user access to specific actions or resources within DynamoDB.

In the example above, the policy allows the user to perform most DynamoDB operations on my-dynamodb-table. However, the policy restricts PutItem and UpdateItem actions when the item being modified has a leading key of user1 or user2. This way, the user cannot write or modify items with those specific keys.

Use

You can use fine-grained access control in DynamoDB to restrict user access to specific parts of your database. For example, you may want to allow read access to certain tables or indexes, but deny write access to those same resources. Additionally, you can restrict access to certain attributes within a table or index for added security.

Important Points

  • Fine-grained access control is implemented through IAM policies and resource-based policies.
  • You can use fine-grained access control to control user access at the table, index, and attribute level.
  • You can restrict access to specific DynamoDB operations or to specific resources within DynamoDB.
  • You can use conditions to further refine access to specific resources within DynamoDB.

Summary

Fine-grained access control in DynamoDB allows administrators to finely control user access to tables, indexes, and attributes within the database. IAM policies and resource-based policies are used to restrict access to specific actions or resources. This can help improve database security by ensuring that users only have access to the resources they need to perform their tasks.

IAM roles and policiesDesigning efficient tables
Published on: