How can I control user access to Amazon DynamoDB data via IAM?

前端 未结 4 1628
有刺的猬
有刺的猬 2021-02-19 22:36

Does AWS Identity and Access Management (IAM) provide a way so that a user can only edit or delete the items in an Amazon DynamoDB table he added before?

4条回答
  •  無奈伤痛
    2021-02-19 23:17

    I'm fairly sure that the answer to your question is yes. You'll probably have to use AWS Cognito with an IAM role policy behind it.

    You might have to do some fiddling with this, but if you add a policy like the following:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dynamodb:GetItem",
                    "dynamodb:Scan",
                    "dynamodb:UpdateItem"
                ],
                "Resource": [
                    "arn:aws:dynamodb:ap-southeast-2: NUMBER:table/myapplication_product"
                ],
                "Condition": {
                    "ForAllValues:StringEquals": {
                        "dynamodb:LeadingKeys": [
                            "${cognito-identity.amazonaws.com:sub}"
                        ]
                    }
                }
            }
        ]
    }
    

    Firstly, this will restrict access to the dynamodb resource to just the methods named, but the "Condition" block will additionally restrict access to identities that match the hashkey that you are trying to alter - obviously, this doesn't affect the Scan (only the GetItem and UpdateItem). Now exactly how you match up those keys, is the fiddling that I referred to, but the solution is in there somewhere. Hope this helps.

提交回复
热议问题