How can I control user access to Amazon DynamoDB data via IAM?

前端 未结 4 1641
有刺的猬
有刺的猬 2021-02-19 22:36

Does AWS Identity and Access Management (IAM) provide a way so that a user can only edit or delete the items in an Amazon DynamoDB table he added before?

4条回答
  •  被撕碎了的回忆
    2021-02-19 23:08

    This became possible after AWS added Fine-Grained Access Control for Amazon DynamoDB, which facilitates AWS Identity and Access Management (IAM) policies to regulate access to items and attributes stored in DynamoDB tables.

    The introductory blog post illustrates the outstanding granularity of this feature and resulting simplifications for many real world use cases:

    • Horizontal - You can selectively hide or expose specific DynamoDB items in a particular table by matching on hash key values
    • Vertical - You can selectively hide or expose specific attributes of all of the DynamoDB items in a particular table by matching on attribute names
    • Combined - You can exercise horizontal and vertical control in the same policy

    See Fine-Grained Access Control for Amazon DynamoDB for further details on this ability to determine who can access individual data items and attributes in Amazon DynamoDB tables and indexes, and the actions that can be performed on them.

    • This also includes a concrete example how to include the user id in the primary key of an Amazon DynamoDB table and hiding information both horizontally and vertically via an appropriate IAM Condition thereafter based on the calling user.

    Addendum

    The far reaching scope/impact of this new functionality is also stressed in Werner Vogels' Simplifying Mobile App Data Management with DynamoDB's Fine-Grained Access Control:

    With Fine-Grained Access Control, we solve this problem by enabling you to author access policies that include conditions that describe additional levels of filtering and control. This eliminates the need for the proxy layer, simplifies the application stack, and results in cost savings.

    [...]

    With today’s launch, apps running on mobile devices can send workloads to a DynamoDB table, row, or even a column without going through an intervening proxy layer. [...] This capability allows apps running on mobile devices to modify only rows belonging to a specific user. Also, by consolidating users’ data in a DynamoDB table, you can obtain real-time insights over the user base, at large scale, without going through expensive joins and batch approaches such as scatter / gather.

提交回复
热议问题