Controlling Amazon DynamoDB Access Using AWS IAM Policies

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating an AWS IAM Policy for Amazon DynamoDB Access
lock
Controlling Amazon DynamoDB Access Using AWS IAM Policies
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

In this lab step, you will modify your IAM policy to allow access to a subset of items in the Amazon DynamoDB table, and you will see how to restrict access to a specific item attributes.

Instructions

  1. In the IAM tester web application, change the URL to the following, and refresh the page:

    Copy code
    ?user_id=blue-3

    blue-3 is the user id of another item in the Amazon DynamoDB table.

    This time you will see an AccessDeniedException message in the Result section. This is because the policy you created specifies that query access is only allowed where the partition key is blue-0.

  2. Return to your browser tab with the AWS IAM policy summary page open.

  3. To start updating your policy, on the Permissions tab, click Edit policy:

    alt

  4. To see the JSON representation of the policy, click the JSON tab:

    alt

  5. Replace the contents of the JSON editor with the following policy:

    Copy code
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowAccessToOnlyItemsMatchingUserID",
          "Effect": "Allow",
          "Action": [
            "dynamodb:Query"
          ],
          "Resource": [
            "arn:aws:dynamodb:us-west-2:*:table/users"
          ],
          "Condition": {
            "ForAllValues:StringLike": {
              "dynamodb:LeadingKeys": [
                "blue-*"
              ]
            }
          }
        }
      ]
    }

    There are two changes in this policy:

    • The outer condition key has changed from ForAllValues:StringEquals to ForAllValues:StringLike
    • The value of the dyanmodb:LeadingKeys condition now ends with an asterisk
      • This is a wildcard character

    This policy allows access to any record in the Amazon DynamoDB table that begins with blue-.

    In this lab, you are using sample data for demonstration purposes. AWS IAM policies support the use of substitution variables that can be used to intergrate with Web Identity Federation. These subsituition variables allow you to write general policies that apply to entities in a specific identity provider (IDP). To learn more, visit the Using Web Identity Federation page of the Amazon DynamoDB Developer Guide.

  6. To save the policy changes, click Review policy and on the following page, click Save changes.

  7. Refresh your browser tab with the IAM tester web application open.

    This time you will see a result returned for the user record with the UserId of blue-3.

    Optional: Change the user_id in the address bar to blue-0 or blue-6 to confirm that your policy grants access to other records where the partition key begins with blue-.

    Next, you will see how to limit access to specific attributes.

  8. Return to your IAM Management Console browser tab with the dynamodb-policy summary open and click Edit policy.

  9. To change the policy, click the JSON tab and replace the contents with the following:

    Copy code
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowAccessOnlyToSpecificAttributes",
                "Effect": "Allow",
                "Action": [
                    "dynamodb:Query"
                ],
                "Resource": [
                    "arn:aws:dynamodb:us-west-2:*:table/users"
                ],
                "Condition": {
                    "ForAllValues:StringEquals": {
                      "dynamodb:Attributes": [
                        "UserId",
                        "LoginCount",
                        "Email"
                      ]
                  },
                  "StringEqualsIfExists": {
                      "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
                  }
                }
            }
        ]
    }

    This policy no longer contains a LeadingKeys condition and now has the following:

    • A dynamodb:Attributes condition key with a list of allowed attribute names for values
    • A dynamodb:Select condition key with the value SPECIFIC_ATTRIBUTES

    This policy will allow access to any item in the table, but only when requesting a subset of the item's attributes.

  10. To save the policy changes, click Review policy and on the following page, click Save changes.

  11. In your browser tab with the policy tester web application open, replace the query string with the following:

    Copy code
    ?user_id=blue-0&attributes=UserId,LoginCount,Email,Active

    The attributes query string parameter is a comma separated list of attributes to query for.

    You will see an AccessDeniedException in response. This is because the Active attribute is not an allowed attribute in your policy.

  12. Remove ,Active from the end of the query string in the address bar and press enter.

    Note: Ensure you remove the last comma from the end of the query string.

    This time, you will see a result returned showing a subset of the item's attributes. You requested only the attributes that are allowed in your policy, so the query request was allowed.

Summary

In this lab, you created a new AWS IAM policy that restricts access to a Amazon DynamoDB items with a specific partition key. You modified the policy to use a wildcard, and you saw how to restrict access to a subset of an items attributes.

Validation checks
1Checks
Restricted Access to Specific Attributes

Check if the IAM policy restricts access to specific attributes

Amazon DynamoDBAWS Identity and Access Management (IAM)