DynamoDB Table Access Provisioning
DynamoDB Table Access Provisioning
3h 3m

This course provides detail on the AWS Database services relevant to the AWS Certified Developer - Associate exam. This includes Amazon RDS, Aurora, DynamoDB, MemoryDB for Redis, and ElastiCache.

Want more? Try a lab playground or do a Lab Challenge!

Learning Objectives

  • Obtain a solid understanding of the following Amazon database services: Amazon RDS, Aurora, DynamoDB, MemoryDB for Redis, and ElastiCache
  • Create an Amazon RDS database
  • Create a DynamoDB database
  • Create an ElastiCache cluster

DynamoDB table provisioning needs to consider Identity and Access Management to authorize the required access in order to allow database operators to perform their work. This is one of the first benefits of leveraging DynamoDB and that is a consolidated access management controls using identity and access management which is common for the rest of the AWS services and deployments. You can use administrator access for testing and experiments. 

However, for production workloads, it is important that you consider the best practice of applying the principle of least privilege and attribute the required access controls accordingly. A number of AWS-managed policies are available for DynamoDB including; full access, read only access, and Lambda invocation policies. The important detail to keep in mind is that in terms of operations, you want to provision access controls for individual tables or specific actions on set tables and sometimes even access to specific items and attributes exclusively.

The idea is to protect your data at all times and to provide the least amount of access required to perform a specific task. The example shown uses the identity and access management condition element to implement a fine-grain access control policy, allowing access to the music table items to a specific user ID. The condition element in this policy uses condition keys that are specific to DynamoDB policies and permissions. The DynamoDB leading keys condition allows users to access only items that match their user ID. The user ID in this case is identified by a substitution variable of the form ${}. Please note that in this case, we're talking about one of your application users and not an AWS account user. Also, when using the leading keys in a condition statement, you must use therefore all values modifier as shown on the screen. The DynamoDB attributes conditions limits access to the specified attributes.

It represents a list of attribute names in a request or the attributes that can be returned from a request. Finally, adding the StringEqualsIfExists condition ensures that the application always provides a list of specific attributes to use and cannot request all the attributes in a table. The principle at work here is that if any of the condition elements evaluates to false, the entire policy evaluates to false as well and access is denied. Please make sure to examine the AWS documentation for specifying conditions in DynamoDB policies as the possibilities available are extensive. You can use the QR code shown on the screen to get to the documentation quickly.


About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.