DynamoDB Access Control - The Ultimate Guide

Rafal Wilinski

Written by Rafal Wilinski

Published on April 25th, 2020

    Still using AWS console to work with DynamoDB? 🙈

    Time to 10x your DynamoDB productivity with Dynobase [learn more]

    Accessing DynamoDB is a bit different than with traditional databases. Most of us are probably accustomed to long-lived connections to SQL databases authenticated using username and password combination. DynamoDB is different. In this article we'll try to cover that.

    Access Control & DynamoDB Security Best Pratices

    Access to DynamoDB is secured using IAM (Identity and Access Management). This means, you need a valid AWS Identity to authenticate your requests and that identity must have sufficient permissions to create or access DynamoDB resources. Authentication in AWS can be achieved in a number of ways:

    • using AWS account root from the AWS console or using pair of access and secret keys
    • using IAM user from the AWS console or using pair of access and secret keys
    • using IAM role which is attached to a IAM user to AWS resource, such as AWS Lambda function or EC2 instance
    • using AWS Vault, an open-source tool which issues temporary credentials from long lived IAM identities stored securely on your machine
    • using AWS SSO, a cloud service that allows you to grant your users access to AWS resources

    How to Give Lambda Access to DynamoDB

    Using Console

    First, open Lambda which should have an access to the DynamoDB and head to "Permissions" tab. On that tab, click "View Role Document".

    An editor should popup. Add following inline policy to the policies array:

    It will give Lambda admin permissions to <table-name>.

    Using Serverless Framework

    Adding IAM permissions to your Lambda functions in Serverless is as easy as extending provider.iamRoleStatements object like so:

    How to Access DynamoDB From EC2

    Accessing DynamoDB from EC2 instance can be achieved in two ways:

    • Using Access and Secret keys. AWS SDK or CLI will use a pair of strings stored in ~/.aws directory or using environment variables. This method is not recommended as it is a security risk
    • Using IAM role. This is the preferred way where your instance gets an IAM role assigned and uses it to do actions against AWS resources. More on that here

    AWS IAM & DynamoDB Read-Only Policy

    If you want to give your teammates a read-only access to the databases, you can use following IAM Policy:

    It will allow them to list all of the tables in the AWS account but read the data only from <table-name> table.

    Understanding DynamoDB Fine Grained Control

    Fine-Grained Access Control for DynamoDB allows you to restrict access to some rows and columns in the table using IAM policies. It can be useful for:

    • A multiplayer game table which stores High-scores in the table. You want to display users scores and their nicknames but probably not want to expose their emails. In case like this one, "Vertical" IAM Condition let you selectively hide specific attributes of all of the DynamoDB items in a particular table by matching on attribute names.
    • Metadata store. You probably won't like to expose all the records to every user, only the he's the owner of. In case like this one, "Horizontal" IAM Condition let you selectively show only specific records.

    More on that on official AWS blog.

    Permissions required by Dynobase for DynamoDB

    Dynobase can be used with DynamoDB in two modes - read-only or read-write**.

    To use Dynobase in read-only mode, make sure to give your role/policy following permissions:

    If you want to be able to make data modifications through Dynobase, include also following IAM actions:

    Tired of AWS Console? Try Dynobase.

    Try 7-day free trial. No credit card needed.

    Product Features

    Member Portal
    © 2024 Dynobase