Discussion on "Lock Down DynamoDB with IAM Policy Conditions" | Hashnode

Discussion

Matt Martz

AWS Community Builder

Jan 19, 2021

Lock Down DynamoDB with IAM Policy Conditions

At work we've begun exploring the use of IAM policy conditions to limit access to items in our DynamoDB Tables. This gives a much more specific level of control on who can retrieve what data. Before a lambda executes, a separate process generates a...

martzmakes.com9 min read

#aws #dynamodb #security #aws-cdk

Responses(1)

Jash Sayani

Software Engineer

Dec 27, 2021

Interesting, so you need to prepend the primary key with auth credentials youself, and include it in queries. I assumed DynamoDB does it in the background when auth token is provided.

No, there aren't any credentials in the DDB key. The IAM policy that the Lambda uses to get read access to DDB includes a constraint that restricts what it can see. In the example above you can see the PK is just simply Tenant#1. The JWT includes the tenant number so the condition in the policy:

'dynamodb:LeadingKeys': [`Tenant#${who}`],

means that when the lambda is invoked where "who" is 1... they'd only see the Tenant#1 records.

Search Hashnode

Lock Down DynamoDB with IAM Policy Conditions

Responses(1)

Recent in Forum