stackoom
  简体   繁体   中英

DynamoDB Fine-Grained Access Control and secondary indexes

 原文  2018-06-13 11:32:20       amazon-web-services/ amazon-dynamodb/ amazon-iam

Question

So, I am currently making a DynamoDB table with multiple indexes and trying to manage access control.

I have a key (organizationId) that I do not want to use as my secondary indexes partition or sort key, because it would be pretty much pointless query-wise.

DynamoDB table

  • Table name: Executions
  • Partition key: OrganizationId (String)

DynamoDB Secondary Index

  • Primary partition key: processId (String)
  • Primary sort key: status (Number)

Would the following IAM Policy condition effectively limit access on the secondary index based on the organizationId ?

"Condition": {
    "ForAllValues:StringEquals": {
        "dynamodb:LeadingKeys": [
            "anOrganizationId / Variable"
        ]
    }
}

2 answers

solution1
 0  2020-06-10 17:31:52

Ok, what i can suggest - you could actually do the 2nd index as "OrganizationId#processId" - the organization ID should be always known when searching - as you plan i guess to search of all items within an organization with specific process ID?

This should work out for you (on the index, not the table)

"Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": "${aws:PrincipalTag/organizationId}#*"
                },

if i'm assuming the tag is with the org id

solution2
 -1  2018-11-08 22:38:37

following permissions policy allows queries on a secondary index (here example index name: TopScoreDateTimeIndex) by using the dynamodb:Attributes condition key. The policy also limits queries to requesting only specific attributes that have been projected into the index. Please pay attention at Resource and Condition section

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "QueryOnlyProjectedIndexAttributes",
            "Effect": "Allow",
            "Action": [
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores/index/TopScoreDateTimeIndex"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:Attributes": [
                        "TopScoreDateTime",
                        "GameTitle",
                        "Wins",
                        "Losses",
                        "Attempts"
                    ]
                },
                "StringEquals": {
                    "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
                }
            }
        }
    ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Amazon DynamoDB : Fine-Grained Access Control Scan with specific attributes How to do DynamoDB Fine-Grained Access Control? DynamoDB fine-grained access control by group membership Fine-grained access control for AWS DynamoDB using AWS Cognito AccessDeniedException when using Fine-Grained Access control for DynamoDb Fine-grained Access Control - AWS Amplify How can I use IAM policies to gain fine-grained access control for DynamoDB? Serverless Framework AWS Fine-Grained Access Control Deployment of servless app fails - Enable fine-grained access control or apply a restrictive access policy to your domain How to use DynamoDB fine grained access control with Cognito User Pools?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM