So, I am currently making a DynamoDB table with multiple indexes and trying to manage access control.
I have a key (organizationId) that I do not want to use as my secondary indexes partition or sort key, because it would be pretty much pointless query-wise.
DynamoDB table
DynamoDB Secondary Index
Would the following IAM Policy condition effectively limit access on the secondary index based on the organizationId ?
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"anOrganizationId / Variable"
]
}
}
Ok, what i can suggest - you could actually do the 2nd index as "OrganizationId#processId" - the organization ID should be always known when searching - as you plan i guess to search of all items within an organization with specific process ID?
This should work out for you (on the index, not the table)
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": "${aws:PrincipalTag/organizationId}#*"
},
if i'm assuming the tag is with the org id
following permissions policy allows queries on a secondary index (here example index name: TopScoreDateTimeIndex) by using the dynamodb:Attributes condition key. The policy also limits queries to requesting only specific attributes that have been projected into the index. Please pay attention at Resource and Condition section
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QueryOnlyProjectedIndexAttributes",
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/GameScores/index/TopScoreDateTimeIndex"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"TopScoreDateTime",
"GameTitle",
"Wins",
"Losses",
"Attempts"
]
},
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.