In granting permissions, DynamoDB allows specifying conditions for them through a detailed IAM policy with condition keys. This supports settings like access to specific items and attributes.
Note β The DynamoDB does not support any tags.
Detailed Control
Several conditions allow specificity down to items and attributes like granting read-only access to specific items based on user account. Implement this level of control with conditioned IAM policies, which manages the security credentials. Then simply apply the policy to the desired users, groups, and roles. Web Identity Federation, a topic discussed later, also provides a way to control user access through Amazon, Facebook, and Google logins.
The condition element of IAM policy implements access control. You simply add it to a policy. An example of its use consists of denying or permitting access to table items and attributes. The condition element can also employ condition keys to limit permissions.
You can review the following two examples of the condition keys β
- dynamodb:LeadingKeys β It prevents the item access by users without an ID matching the partition key value.
- dynamodb:Attributes β It prevents users from accessing or operating on attributes outside of those listed.
On evaluation, IAM policies result in a true or false value. If any part evaluates to false, the whole policy evaluates to false, which results in denial of access. Be sure to specify all required information in condition keys to ensure users have appropriate access.
Predefined Condition Keys
AWS offers a collection of predefined condition keys, which apply to all services. They support a broad range of uses and fine detail in examining users and access.
Note β There is case sensitivity in condition keys.
You can review a selection of the following service-specific keys β
- dynamodb:LeadingKey β It represents a table’s first key attribute; the partition key. Use the ForAllValues modifier in conditions.
- dynamodb:Select β It represents a query/scan request Select parameter. It must be of the value ALL_ATTRIBUTES, ALL_PROJECTED_ATTRIBUTES, SPECIFIC_ATTRIBUTES, or COUNT.
- dynamodb:Attributes β It represents an attribute name list within a request, or attributes returned from a request. Its values and their functions resemble API action parameters, e.g., BatchGetItem uses AttributesToGet.
- dynamodb:ReturnValues β It represents a requestsβ ReturnValues parameter, and can use these values: ALL_OLD, UPDATED_OLD, ALL_NEW, UPDATED_NEW, and NONE.
- dynamodb:ReturnConsumedCapacity β It represents a request’s ReturnConsumedCapacity parameter, and can use these values: TOTAL and NONE.