DynamoDB Access Control - The Ultimate Guide

Written by Rafal Wilinski

Accessing DynamoDB is a bit different than with traditional databases. Most of us are probably accustomed to long-lived connections to SQL databases authenticated using username and password combination. DynamoDB is different. In this article we'll try to cover that.

Access Control & DynamoDB Security Best Pratices

Access to DynamoDB is secured using IAM (Identity and Access Management). This means, you need a valid AWS Identity to authenticate your requests and that identity must have sufficient permissions to create or access DynamoDB resources. Authentication in AWS can be achieved in a number of ways:

  • using AWS account root from the AWS console or using pair of access and secret keys
  • using IAM user from the AWS console or using pair of access and secret keys
  • using IAM role which is attached to a IAM user to AWS resource, such as AWS Lambda function or EC2 instance

How to Give Lambda Access to DynamoDB

Using Console

First, open Lambda which should have an access to the DynamoDB and head to "Permissions" tab. On that tab, click "View Role Document".

An editor should popup. Add following inline policy to the policies array:

It will give Lambda admin permissions to <table-name>.

Using Serverless Framework

Adding IAM permissions to your Lambda functions in Serverless is as easy as extending provider.iamRoleStatements object like so:

How to Access DynamoDB From EC2

Accessing DynamoDB from EC2 instance can be achieved in two ways:

  • Using Access and Secret keys. AWS SDK or CLI will use a pair of strings stored in ~/.aws directory or using environment variables. This method is not recommended as it is a security risk
  • Using IAM role. This is the preferred way where your instance gets an IAM role assigned and uses it to do actions against AWS resources. More on that here

AWS IAM & DynamoDB Read-Only Policy

If you want to give your teammates a read-only access to the databases, you can use following IAM Policy:

It will allow them to list all of the tables in the AWS account but read the data only from <table-name> table.

Understanding DynamoDB Fine Grained Control

Fine-Grained Access Control for DynamoDB allows you to restrict access to some rows and columns in the table using IAM policies. It can be useful for:

  • A multiplayer game table which stores High-scores in the table. You want to display users scores and their nicknames but probably not want to expose their emails. In case like this one, "Vertical" IAM Condition let you selectively hide specific attributes of all of the DynamoDB items in a particular table by matching on attribute names.
  • Metadata store. You probably won't like to expose all the records to every user, only the he's the owner of. In case like this one, "Horizontal" IAM Condition let you selectively show only specific records.

More on that on official AWS blog.

Dynobase is a Professional GUI Client for DynamoDB

Start your 7-day free trial today

Product Features

© 2020 Dynobase

Still using AWS DynamoDB Console?
Try Dynobase to accelerate your DynamoDB workflow. Start your 7-day free trial today.