CODEWITHSUNDEEP
amazon-web-servicesamazon-dynamodbamazon-iam
Sumit Arora
Sumit Arora

Reputation: 5241

How to define IAM Policy for a user to have programmatic full or limited access only for specific dynamodb tables?

One of my project uses dynamodb tables, But we have few developers on that project. we would like to give user specific secret key and Access Key so that they can use specific dynamodb tables only e.g. ( one table only for read access, and one table for read and write access).

Upvotes: 0

Views: 1060

Answers (2)

Bahadir Tasdemir
Bahadir Tasdemir

Reputation: 10783

As it is stated here:

The following policy can be attached to an IAM group and gives a user permission to programmatically access an DynamoDB table whose name matches the user's name. For example, user Bob can perform any DynamoDB actions in the table named Bob. The policy can be attached to a group that contains users who are allowed to each manage their own DynamoDB table.

So you can set your policy as following if you want to grant FULL access to a specific user for a table:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "dynamodb:*",
    "Resource": "arn:aws:dynamodb:AWS-REGION-IDENTIFIER:ACCOUNT-ID-WITHOUT-HYPHENS:table/${aws:username}"
  }]
}

Using IAM Policy Conditions for Fine-Grained Access Control

For example, let's say we want to grant permissions that limit access to specific attributes in a Table:

Sample IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LimitAccessToSpecificAttributes",
            "Effect": "Allow",
            "Action": [
                "dynamodb:UpdateItem",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:BatchGetItem",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:Attributes": [
                        "UserId",
                        "TopScore"
                    ]
                },
                "StringEqualsIfExists": {
                    "dynamodb:Select": "SPECIFIC_ATTRIBUTES",
                    "dynamodb:ReturnValues": [
                        "NONE",
                        "UPDATED_OLD",
                        "UPDATED_NEW"
                    ]
                }
            }
        }
    ]
}

Explanation:

This part is letting the actions that related users can do.

"Action": [ 
    "dynamodb:UpdateItem",
    "dynamodb:GetItem",
    "dynamodb:Query",
    "dynamodb:BatchGetItem",
    "dynamodb:Scan"
],

As explained in the first sample, the access point desc.

"Resource": [
            "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
        ]

Here, with the keyword 'ForAllValues:StringEquals'. the specified user only can request attributes "UserId" and "TopScore".

"ForAllValues:StringEquals": {
                "dynamodb:Attributes": [
                    "UserId",
                    "TopScore"
                ]
            }

The definition of the StringEqualsIfExists can be understood in the following explanation:

The StringEqualsIfExists clause in the permissions policy ensures the following:

If the user specifies the Select parameter, then its value must be SPECIFIC_ATTRIBUTES. This requirement prevents the API action from returning any attributes that aren't allowed, such as from an index projection. If the user specifies the ReturnValues parameter, then its value must be NONE, UPDATED_OLD or UPDATED_NEW. This is required because the UpdateItem action also performs implicit read operations to check whether an item exists before replacing it, and so that previous attribute values can be returned if requested. Restricting ReturnValues in this way ensures that users can only read or write the allowed attributes. The StringEqualsIfExists clause assures that only one of these parameters — Select or ReturnValues — can be used per request, in the context of the allowed actions.

"StringEqualsIfExists": {
                "dynamodb:Select": "SPECIFIC_ATTRIBUTES",
                "dynamodb:ReturnValues": [
                    "NONE",
                    "UPDATED_OLD",
                    "UPDATED_NEW"
                ]
            }

You can find the complete samples here.

Upvotes: 1

Khalid T.
Khalid T.

Reputation: 10547

You can use an IAM policy similar to this one and attach it to your group or user(s):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StatementForTable1",
            "Effect": "Allow",
            "Action": [
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:REGION:ACCOUNT:table/Table1"
            ]
        },
        {
            "Sid": "StatementForTable2",
            "Effect": "Allow",
            "Action": [
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:REGION:ACCOUNT:table/Table2"
            ]
        }
    ]
}

Upvotes: 1

Related Questions