What is the access control model for DynamoDB?

Question

In a traditional MySql Server situation, as the owner of a database, I create a User and from the database I grant certain access rights to the User object. An application can then (and only) access the database by supplying the password for the User.

I am confused and don't see a parallel when it comes to giving access to a DynamoDB table. From the DynamoDB Tables page, I can't find a means to grant permission for an IAM user to access a table. There is an Access Control tab, but that appears to be for Facebook/Google users.

I read about attaching policies but am confused further. How is access controlled if anyone can create a policy that can access all tables?

What am I missing? I just want to create a "login" for a Node application to access my DynamoDB table.

Possible duplicate of [How can I control user access to Amazon DynamoDB data via IAM?](https://stackoverflow.com/questions/20876500/how-can-i-control-user-access-to-amazon-dynamodb-data-via-iam) — Anuruddha, Jan 06 '18 at 10:48
Not quite a duplicate -- the body of the other question does not appear to fully match its own title. — Michael - sqlbot, Jan 06 '18 at 13:56

score 1 · Answer 1 · answered Jan 06 '18 at 11:07

If anyone in your AWS account can create IAM policies you have a real security issue.

Only a few accounts should do that (Create IAM policies).

DynamoDB accesses work along with IAM user like you said, so, you need to do the following:

Create IAM groups to classify your IAM users, for example, DBAGroup for dbas, DEVGroup for developers and so on.
Create IAM policies to grant specific access to your DynamoDB tables for each group.
Apply the policies to the specific groups for granting accesses.

For login purposes, you need to develop a module that will verify the credentials with IAM service, so you need to execute IAM API calls. This module could be deployed within an EC2, could be a Javascript call to an API Gateway's endpoint along with a Lambda function, Etc.

What you need to do:

Create an account on IAM service that will be able to execute API calls to the IAM service for verifying credentials (Login and password).
This account should have only permissions for doing that (Verify user login and password).
Use the API credentials to be able to execute API calls.

If you don't want to create your own module for login purposes, take a look at Amazon Cognito

Amazon Cognito lets you add user sign-up/sign-in and access control to your web and mobile apps quickly and easily. Cognito scales to millions of users and supports sign-in with social identity providers such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

The last step is how your module execute API calls to IAM service? As you may know, we need API Credentials. So, using the logged user's credentials you will be able to execute API calls to read data from tables, execute CRUD operations, Etc.

I think the OP meant "login" in the sense of credentials the app server uses to connect to the db, rather than user logins. — Michael - sqlbot, Jan 06 '18 at 13:55

score 0 · Answer 2 · answered Jul 04 '19 at 18:57

To set specific permissions for certain tables as in SQL Server you must do this:

In Identity and Access Management (IAM) create a new security policy on the JSON tab:

Use the following JSON as an example to allow a full CRUD or remove the items within the "Action" section to allow only the desired items:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAndDescribe",
            "Effect": "Allow",
            "Action": [
                "dynamodb:List*",
                "dynamodb:DescribeReservedCapacity*",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTimeToLive"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/MyTable"
        }
    ]
}

Give the policy a name and save it.

After that, go to the Identity and Access Management (IAM) Users screen and create a new user as shown below.

Remember to set the field ** Access type ** as * Programmatic access *, it is not necessary to add the user to a group, click on "Atach existing policies directly" and add the policy previously created.

Finished! You already have everything you need to connect your application to Dynamodb.

My question was more on: what happens if in the `Resource` field I enter the arn of *your* database? — Old Geezer, Jul 05 '19 at 02:40
@OldGeezer Sorry for my mistake, I understand what you meant now. — CleberTXR, Jul 08 '19 at 22:44

What is the access control model for DynamoDB?

2 Answers2