Bobcares

Restrict IAM user to specific attributes in DynamoDB table

by | Aug 29, 2021

Wondering how to restrict IAM user to specific attributes in DynamoDB table? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we restrict IAM users.

 

Restrict IAM user to specific attributes in DynamoDB table

With FGAC, we can control access to individual items or item attributes for both read and write operations in a DynamoDB table.

Most often, we have predefined AWS‐wide keys and DynamoDB‐specific keys to specify conditions in an access policy.

  • Allow read-only access to certain attributes of a table’s items

Let us discuss what to do if we have to allow a third-party application to read the TopScore and TopScoreDateTime attributes for each user.

The properties in this table include:

  1. Table name: GameScores
  2. Primary partition key: a string with a UserId attribute
  3. Primary sort key: a string with a GameTitle attribute
  4. Non-key attributes: PersonalDetails, Wins, Losses, TopScore, TopScoreDateTime

Since the UserId and GameTitle are the partitions and sort key attributes, we should allow them in the IAM policy.

The criteria the example policy should meet are:

For query or scan API operations: Allow requests when the Select parameter is set to SPECIFIC_ATTRIBUTES or when ProjectionExpression contains UserId, GameTitle, TopScore, or TopScoreDateTime.

For GetItem, BatchGetItem, and TransactGetItem API operations: Allow requests when the ProjectionExpression parameter contains UserId, GameTitle, TopScore, or TopScoreDateTime.

Generally, the example IAM policy uses the dynamodb:Attributes condition key:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitAccessToSpecificAttributes",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:Scan",
"dynamodb:TransactGetItems"
],
"Resource": [
"arn:aws:dynamodb:eu-west-1:123456789012:table/GameScores"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"TopScoreDateTime",
"TopScore",
"UserId",
"GameTitle"
]
},
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]
}

In addition, the client’s requests must specify the allowed attributes. If not, DynamoDB returns all attributes.

The IAM policy doesn’t allow the client to read all attributes. Hence the client may receive an AccessDeniedException.

For example, here we can see the error because it doesn’t use Select or ProjectionExpression to specify allowed attributes:

$ aws dynamodb query --table-name GameScores --key-condition-expression "UserId = :useridval" --expression-attribute-values '{":useridval":{"S":"stefano_123"}}'

A successful query request that specifies the TopScore, TopScoreDateTime, and GameTitle attributes will look similar to:

$ aws dynamodb query --table-name GameScores --key-condition-expression "UserId = :useridval" --expression-attribute-values '{":useridval":{"S":"stefano_123"}}' --projection-expression "TopScore, TopScoreDateTime, GameTitle"

Here’s an example of a successful GetItem request:

$ aws dynamodb get-item --table-name GameScores --key '{"UserId":{"S":"stefano_123"},"GameTitle":{"S":"Game Zero"}}' --projection-expression "UserId, GameTitle, TopScore, TopScoreDateTime"

[Stuck in between? We are here to help you]

 

Conclusion

In short, we saw how our Support Techs go ahead and restrict IAM users for our customers.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.