CODEWITHSUNDEEP
amazon-web-servicesamazon-dynamodbamazon-iam
u936293
u936293

Reputation: 16234

What is the access control model for DynamoDB?

In a traditional MySql Server situation, as the owner of a database, I create a User and from the database I grant certain access rights to the User object. An application can then (and only) access the database by supplying the password for the User.

I am confused and don't see a parallel when it comes to giving access to a DynamoDB table. From the DynamoDB Tables page, I can't find a means to grant permission for an IAM user to access a table. There is an Access Control tab, but that appears to be for Facebook/Google users.

I read about attaching policies but am confused further. How is access controlled if anyone can create a policy that can access all tables?

What am I missing? I just want to create a "login" for a Node application to access my DynamoDB table.

Upvotes: 2

Views: 2179

Answers (2)

CleberTXR
CleberTXR

Reputation: 184

To set specific permissions for certain tables as in SQL Server you must do this:

In Identity and Access Management (IAM) create a new security policy on the JSON tab:

Picture of the new policy setting screen on the JSON tab

  • Use the following JSON as an example to allow a full CRUD or remove the items within the "Action" section to allow only the desired items:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAndDescribe",
            "Effect": "Allow",
            "Action": [
                "dynamodb:List*",
                "dynamodb:DescribeReservedCapacity*",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTimeToLive"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/MyTable"
        }
    ]
}

Give the policy a name and save it.

Policy review screen created

After that, go to the Identity and Access Management (IAM) Users screen and create a new user as shown below.

Set the Access type field to Programmatic access

  • Remember to set the field ** Access type ** as * Programmatic access *, it is not necessary to add the user to a group, click on "Atach existing policies directly" and add the policy previously created.

Previously created policy selected for addition

Finished! You already have everything you need to connect your application to Dynamodb.

Upvotes: 0

Ele
Ele

Reputation: 33726

If anyone in your AWS account can create IAM policies you have a real security issue.

Only a few accounts should do that (Create IAM policies).

DynamoDB accesses work along with IAM user like you said, so, you need to do the following:

  • Create IAM groups to classify your IAM users, for example, DBAGroup for dbas, DEVGroup for developers and so on.
  • Create IAM policies to grant specific access to your DynamoDB tables for each group.
  • Apply the policies to the specific groups for granting accesses.

For login purposes, you need to develop a module that will verify the credentials with IAM service, so you need to execute IAM API calls. This module could be deployed within an EC2, could be a Javascript call to an API Gateway's endpoint along with a Lambda function, Etc.

What you need to do:

  • Create an account on IAM service that will be able to execute API calls to the IAM service for verifying credentials (Login and password).
  • This account should have only permissions for doing that (Verify user login and password).
  • Use the API credentials to be able to execute API calls.

If you don't want to create your own module for login purposes, take a look at Amazon Cognito

Amazon Cognito lets you add user sign-up/sign-in and access control to your web and mobile apps quickly and easily. Cognito scales to millions of users and supports sign-in with social identity providers such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

The last step is how your module execute API calls to IAM service? As you may know, we need API Credentials. So, using the logged user's credentials you will be able to execute API calls to read data from tables, execute CRUD operations, Etc.

Upvotes: 1

Related Questions