I have an AWS DynamoDB table which consists of one key and some attributes.
AWS IAM allows to restrict the access to a specific key: Docs.
But is it possible to "filter" by the value of an attribute?
For example:
"Allow access to all rows, where attribute_A = 1"
I didn't find anything like that after searching for hours. Thank you in advance!
Unfortunately you only have two options when restricting access via IAM:
Control access via Partition Key
Control access to attributes returned
It is not possible to restrict access via an attribute which isn't the Partition Key.
A workaround you could look into:
Leverage a GSI and use the Partition Key as your desired attribute you wish to filter by. You can restrict a user to only query the given Index and filter by the Partition Key of the GSI.
Read more here: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html
HTH
Don't know detailed information about exact access case but IAM policies for DynamoDB can be much fine-grained.
Please refer detailed explanation here.
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html
Related
I am trying to setup a web application using aws Amplify. It is backed by a dynamodb table containing some data, with "user group" as primary key. So whenever a user is logged, it should only display data connected to his group. I read some aws docs about fine-grained access, but it seems that the only way is to use "user_id" as primary key (hopefully i misunderstood that). If any of you could give me some tips i would be very thankful :)
If I understand correctly you are trying to apply some sort of row isolation strategy on your dynamo table.
Your intuition about the primary key is right as stated here with the caveat that your partition key should contain your group_id (not necessarily the user_id) since you want to isolate access by groups.
Using composite partition keys is common practice in a database like Dynamo.
This will structure the DB so that it can be restricted by a IAM policy that allows for the fine grained access control on the groups that you need.
I need to hide some fields from a table to a certain group of users.
I thought about the creation of a view that allows me to mask those fields. However, once the permissions are set to only grant access to the view, the queries fail because they also need access to the table that is being queried under the view.
Is there a way (or condition) that allows me to grant access to the view but deny access to the table used in the view?
Column-level permissions will be supported as part of AWS lake formation. It is still on preview, but you can request access.
As Lake formation is only available in a specific region in beta test, for now you need to duplicate the data, or wait.
Is there any way of controlling access to DynamoDB data based on data in other tables? By way of comparison, Firebase Realtime Database rules have access to a snapshot of the entire database when being evaluated, so rules like this are possible:
".write": "root.child('allow_writes').val() === true"
But all my reading of the AWS permissions structure hasn't given me any clue how to achieve the same thing. There are variables that can be tested based on the current authenticated user, and some variables based on the current request, but no way I can see of referencing other data within the database.
AWS don't support this case, you're only option would be to put the access control in your application.
You can control table, item or attribute level data access in DynamoDB using a IAM policy variables. Frustratingly AWS don't even seem to publish a list of available policy variables. Typically it boils down to using Cognito sub or AWS userid, which the majority of people don't want to use as a partition keys in their tables.
I have been looking information about this question, but I can't find the answerd. Do you know a simple way using AWS command line tools to map an AWS_KEY id to a specific IAM user?. The idea is to know in some old legacy EC2 boxes who is using an identity in order to revoke unused ones. For example:
AWS_KEY=AKAFERE12aseDesa3er11A -> belong to "user1"
There's no direct one-to-one mapping to allow you to do this. You'll probably need to call list-users to get a list of all the users associated with the AWS account, and for each user that's returned you'll need to call list-access-keys to get their keys and look for the one you're interested in.
Amazons STS allows to create credentials for DynamoDB. I do know how to create time limited (15min - 1h) crediential keys.
However I was wondering whether it is possible to generate a DynamoDB key which is allowed/limited to insert and update only one key/row/record?
Yes, you can write a policy to restrict access to specific keys via fine-grained access control.