Creating an AWS IAM Policy for Amazon DynamoDB Access

Introduction

Amazon DynamoDB is a NoSQL database that allows you to store and retrieve data in key-value pair and document formats. It also supports fine-grained access to data items using AWS IAM.

In this lab step, you will examine a pre-created DynamoDB table and its data items. And you will create an IAM policy that allows access to one item in the table.

Instructions

1. In the search bar at the top of the AWS Management Console, enter DynamoDB, and click the DynamoDB result under Services:

   

2. In the left-hand menu, under Tables, click Explore items:

   

3. In the left-hand Tables section, select the table named users:

   

4. In the main right-hand pane, scroll down to the Items returned section.

   You will see items listed:

   

   The users DynamoDB table has been populated with randomly generated data for you to test IAM policies with in this lab.

   Note: If you do not see any items listed, then it's likely the lab hasn't finished setting up. Wait for the setup to complete and click the refresh icon:

   

   To see all the fields, scroll to the right using the scrollbar at the bottom of the items table.

5. To open a new browser tab with the AWS Management Console open, in the top-left, right-click the AWS logo and click Open link in new tab

   

   Note: Depending upon the browser you are using, the wording of the right-click context menu may differ.

6. In the new AWS Management Console tab, in the search bar at the top, enter IAM, and click the IAM result under Services:

   

   The IAM dashboard page will load.

   Note: You will see red error notifications on this page. These can be safely ignored, you only have the permissions required to complete the objectives of the lab.

7. In the left-hand menu, click Policies:

   

8. To start creating a new policy, at the top-right, click Create Policy:

   

   A multi-step Create policy form wizard will appear.

9. To access the JSON editor, click the JSON tab:

   

10. Copy the following IAM policy and paste it into the JSON editor:

    Copy code
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowAccessToOnlyItemsMatchingUserID",
                "Effect": "Allow",
                "Action": [
                    "dynamodb:Query"
                ],
                "Resource": [
                    "arn:aws:dynamodb:us-west-2:*:table/users"
                ],
                "Condition": {
                    "ForAllValues:StringEquals": {
                        "dynamodb:LeadingKeys": [
                            "blue-0"
                        ]
                    }
                }
            }
        ]
    }

    This policy restricts access to items whose partition key is blue-0.

11. To move to the next form wizard step, at the bottom of the page, click Next: Tags:

    

    This page allows you to add tags to your IAM policy. Adding tags is a best practice that makes filtering and tracking cloud resources easier. You do not need to add tags in this lab.

12. At the bottom of the page, move to the next page by clicking Next: Review:

    

13. In the Name textbox, enter dynamodb-policy:

    

    Note: It's important to enter the Name as exactly dynamodb-policy. You will see an error when in a moment if the policy name does not match.

14. To finish creating your policy, at the bottom of the page, click Create policy:

    

    The Policies list page will load and you will see a green notification that your policy was created.

15. In the search box under Policies, enter dynamodb-policy and click result named dynamodb-policy:

    

    A page titled Summary will load.

    Leave this page open, you will use it again in this lab.

16. In a new browser tab, open the following URL:

    You will see a page load with two sections, Role policy and Result. The Role policy section shows the JSON representation of the policy you created named dynamodb-policy.

    This is a Python web application that has been created for you to test Amazon DynamoDB policies with in this lab. When you refresh the page with certain query string parameters, the application will attempt to query Amazon DynamoDB using the dynamodb-policy you created.

    If you are curious about the implementation of the web application you can view the source code on GitHub.

17. Append the following to the end of the URL:

    Copy code
    ?user_id=blue-0

    Note: If you see an error, wait a minute or two and retry.  Creation of an IAM policy can take a minute or two to take affect and become available.

18. Scroll down to the result section and observe that an item is returned.

    This web application is doing the following:

    • Attaching your dynamodb-policy to an IAM role
    • Using the IAM role to query the Amazon DynamoDB table for an item where the UserId is blue-0

    Note the following about the policy you created:

    • It only allows access to the dynamodb:Query action
    • It's restricted to the pre-created DyanmoDB table
    • It has a condition that uses the dynamodb:LeadingKeys condition key
    • The DynamoDB condition key is within a ForAllValues:StringEquals condition

    The full list of Amazon DynamoDB specific condition keys can be found on the Actions, resources, and condition keys for Amazon DynamoDB page of the AWS Service Authorization Reference.

    LeadingKeys refers to the partition key of the table. In this case, the partition key is the UserId column.

    Leave this browser tab open. You will use this application again in the next lab step.

Summary

In this lab step, you created an AWS IAM policy and you used a web application that used your policy to query an Amazon DynamoDB table.