Wondering how to restrict IAM user to specific attributes in DynamoDB table? We can help you.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how we restrict IAM users.
Restrict IAM user to specific attributes in DynamoDB table
With FGAC, we can control access to individual items or item attributes for both read and write operations in a DynamoDB table.
Most often, we have predefined AWS‐wide keys and DynamoDB‐specific keys to specify conditions in an access policy.
-
Allow read-only access to certain attributes of a table’s items
Let us discuss what to do if we have to allow a third-party application to read the TopScore and TopScoreDateTime attributes for each user.
The properties in this table include:
- Table name: GameScores
- Primary partition key: a string with a UserId attribute
- Primary sort key: a string with a GameTitle attribute
- Non-key attributes: PersonalDetails, Wins, Losses, TopScore, TopScoreDateTime
Since the UserId and GameTitle are the partitions and sort key attributes, we should allow them in the IAM policy.
The criteria the example policy should meet are:
For query or scan API operations: Allow requests when the Select parameter is set to SPECIFIC_ATTRIBUTES or when ProjectionExpression contains UserId, GameTitle, TopScore, or TopScoreDateTime.
For GetItem, BatchGetItem, and TransactGetItem API operations: Allow requests when the ProjectionExpression parameter contains UserId, GameTitle, TopScore, or TopScoreDateTime.
Generally, the example IAM policy uses the dynamodb:Attributes condition key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitAccessToSpecificAttributes",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:Scan",
"dynamodb:TransactGetItems"
],
"Resource": [
"arn:aws:dynamodb:eu-west-1:123456789012:table/GameScores"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"TopScoreDateTime",
"TopScore",
"UserId",
"GameTitle"
]
},
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]
}
In addition, the client’s requests must specify the allowed attributes. If not, DynamoDB returns all attributes.
The IAM policy doesn’t allow the client to read all attributes. Hence the client may receive an AccessDeniedException.
For example, here we can see the error because it doesn’t use Select or ProjectionExpression to specify allowed attributes:
$ aws dynamodb query --table-name GameScores --key-condition-expression "UserId = :useridval" --expression-attribute-values '{":useridval":{"S":"stefano_123"}}'
A successful query request that specifies the TopScore, TopScoreDateTime, and GameTitle attributes will look similar to:
$ aws dynamodb query --table-name GameScores --key-condition-expression "UserId = :useridval" --expression-attribute-values '{":useridval":{"S":"stefano_123"}}' --projection-expression "TopScore, TopScoreDateTime, GameTitle"
Here’s an example of a successful GetItem request:
$ aws dynamodb get-item --table-name GameScores --key '{"UserId":{"S":"stefano_123"},"GameTitle":{"S":"Game Zero"}}' --projection-expression "UserId, GameTitle, TopScore, TopScoreDateTime"
[Stuck in between? We are here to help you]
Conclusion
In short, we saw how our Support Techs go ahead and restrict IAM users for our customers.
0 Comments