How can I control user access to Amazon DynamoDB data via IAM?

amazon-web-services amazon-dynamodb amazon-iam
waiter.james picture waiter.james · Jan 2, 2014 · Viewed 8.4k times · Source

Does AWS Identity and Access Management (IAM) provide a way so that a user can only edit or delete the items in an Amazon DynamoDB table he added before?

Answer

Steffen Opel picture Steffen Opel · Jan 3, 2014

This became possible after AWS added Fine-Grained Access Control for Amazon DynamoDB, which facilitates AWS Identity and Access Management (IAM) policies to regulate access to items and attributes stored in DynamoDB tables.

The introductory blog post illustrates the outstanding granularity of this feature and resulting simplifications for many real world use cases:

  • Horizontal - You can selectively hide or expose specific DynamoDB items in a particular table by matching on hash key values
  • Vertical - You can selectively hide or expose specific attributes of all of the DynamoDB items in a particular table by matching on attribute names
  • Combined - You can exercise horizontal and vertical control in the same policy

See Fine-Grained Access Control for Amazon DynamoDB for further details on this ability to determine who can access individual data items and attributes in Amazon DynamoDB tables and indexes, and the actions that can be performed on them.

  • This also includes a concrete example how to include the user id in the primary key of an Amazon DynamoDB table and hiding information both horizontally and vertically via an appropriate IAM Condition thereafter based on the calling user.

Addendum

The far reaching scope/impact of this new functionality is also stressed in Werner Vogels' Simplifying Mobile App Data Management with DynamoDB's Fine-Grained Access Control:

With Fine-Grained Access Control, we solve this problem by enabling you to author access policies that include conditions that describe additional levels of filtering and control. This eliminates the need for the proxy layer, simplifies the application stack, and results in cost savings.

[...]

With today’s launch, apps running on mobile devices can send workloads to a DynamoDB table, row, or even a column without going through an intervening proxy layer. [...] This capability allows apps running on mobile devices to modify only rows belonging to a specific user. Also, by consolidating users’ data in a DynamoDB table, you can obtain real-time insights over the user base, at large scale, without going through expensive joins and batch approaches such as scatter / gather.

Related questions

AmazonServiceException: User is not authorized to perform: dynamodb:DescribeTable Status Code: 400; Error Code: AccessDeniedException

I had originally thought that this issue was due to mismatching regions, but after changing the region, I'm still coming across the following error when trying out an Amazon AWS sample found here: DynamoDBMapper AmazonServiceException: User: arn:aws:sts::[My …

Read More
DynamoDB vs MongoDB NoSQL

I'm trying to figure it out what can I use for a future project, we plan to store from about 500k records per month in the first year and maybe more for the next years this is a vertical application …

Read More
What is the recommended way to delete a large number of items from DynamoDB?

I'm writing a simple logging service in DynamoDB. I have a logs table that is keyed by a user_id hash and a timestamp (Unix epoch int) range. When a user of the service terminates their account, I need to …

Read More