DynamoDB Access Control - The Ultimate Guide
Written by Rafal Wilinski
Published on April 25th, 2020
Time to 10x your DynamoDB productivity with Dynobase [learn more]
Accessing DynamoDB is a bit different than with traditional databases. Most of us are probably accustomed to long-lived connections to SQL databases authenticated using username and password combination. DynamoDB is different. In this article we'll try to cover that.
Access Control & DynamoDB Security Best Pratices
Access to DynamoDB is secured using IAM (Identity and Access Management). This means, you need a valid AWS Identity to authenticate your requests and that identity must have sufficient permissions to create or access DynamoDB resources. Authentication in AWS can be achieved in a number of ways:
- using AWS account root from the AWS console or using pair of access and secret keys
- using IAM user from the AWS console or using pair of access and secret keys
- using IAM role which is attached to a IAM user to AWS resource, such as AWS Lambda function or EC2 instance
- using AWS Vault, an open-source tool which issues temporary credentials from long lived IAM identities stored securely on your machine
- using AWS SSO, a cloud service that allows you to grant your users access to AWS resources
How to Give Lambda Access to DynamoDB
Using Console
First, open Lambda which should have an access to the DynamoDB and head to "Permissions" tab. On that tab, click "View Role Document".
An editor should popup. Add following inline policy to the policies array:
It will give Lambda admin permissions to <table-name>.
Using Serverless Framework
Adding IAM permissions to your Lambda functions in Serverless is as easy as extending provider.iamRoleStatements object like so:
How to Access DynamoDB From EC2
Accessing DynamoDB from EC2 instance can be achieved in two ways:
- Using Access and Secret keys. AWS SDK or CLI will use a pair of strings stored in
~/.awsdirectory or using environment variables. This method is not recommended as it is a security risk - Using IAM role. This is the preferred way where your instance gets an IAM role assigned and uses it to do actions against AWS resources. More on that here
AWS IAM & DynamoDB Read-Only Policy
If you want to give your teammates a read-only access to the databases, you can use following IAM Policy:
It will allow them to list all of the tables in the AWS account but read the data only from <table-name> table.
Understanding DynamoDB Fine Grained Control
Fine-Grained Access Control for DynamoDB allows you to restrict access to some rows and columns in the table using IAM policies. It can be useful for:
- A multiplayer game table which stores High-scores in the table. You want to display users scores and their nicknames but probably not want to expose their emails. In case like this one, "Vertical" IAM Condition let you selectively hide specific attributes of all of the DynamoDB items in a particular table by matching on attribute names.
- Metadata store. You probably won't like to expose all the records to every user, only the he's the owner of. In case like this one, "Horizontal" IAM Condition let you selectively show only specific records.
More on that on official AWS blog.
Permissions required by Dynobase for DynamoDB
Dynobase can be used with DynamoDB in two modes - read-only or read-write**.
To use Dynobase in read-only mode, make sure to give your role/policy following permissions:
If you want to be able to make data modifications through Dynobase, include also following IAM actions: