Skip to content

Using DynamoDB with Data Access Server

Control user access to DynamoDB resources.

DynamoDB Table Access Control#

Allow the user to perform actions on a specific table and attribute.

  1. From the Privacera Platform home page, click Access Management > Resource Policies.

  2. On the Resource Policies page, click privacera_dynamodbAdd New Policy.

  3. Enter the details.

    Label Description
    Policy Name Enter an appropriate policy name. This name is cannot be duplicated for the same Service type (DynamoDB). This field is mandatory.
    Policy Label Label/tag for the policy
    Table Select table(s) for which the policy will be applicable
    Attribute For the selected table(s), select attributes for which the policy will be applicable
    Audit Logging Choose whether the particular policy will be audited or not.
    Group Permission From a user group list, pick a particular group and choose permissions for that group.
    User Permission From a user list, pick a particular user and choose permissions for that user
    Include/Exclude The include flag means it will consider the values entered in the field. The default value is set as include. Exclude Flag will exclude all the table names or column names entered in that particular field.
    Enable/Disable By default, policy is enabled. You can disable a policy to restrict user/group access for that policy.
    Permission Description
    Read Allow the user to perform Query/Scan on specified table and attribute.
    Write Allow the user to perform put-item/delete-item on specified table and attribute.
    Create Allow the user to perform createTable.
    Delete Allow the user to perform deleteTable.
    ListTables Allow the user to perform list-tables.
    Admin Allow the user to perform ALL action on specified table/attribute.

  4. Click Save.

DynamoDB Column-Level Access Control#

Create Table Query#

Give a user permission to create DynamoDB tables.

  1. Create an Access Management policy to give the user CREATE permission.

    1. On the Privacera Platform home page, click Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: * 

      • Attribute: *  

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Create

  2. From a terminal prompt, create a table.

    aws dynamodb create-table --table-name customer_data --attribute-definitions AttributeName=id,AttributeType=S AttributeName=cust_name,AttributeType=S --key-schema AttributeName=id,KeyType=HASH AttributeName=cust_name,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
    
    • Options:

      • table-name: Table name

      • attribute-definitions: An array of attributes that describe the key schema for the table and indexes.

      • key-schema: Specifies the attributes that make up the primary key for a table or an index. The attributes in KeySchema must also be defined in the AttributeDefinitions array.

    The user can create DynamoDB tables.

List Table Query#

Give a user permission to see a list of DynamoDB tables.

  1. Create an Access Management policy to give the user READ permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. Click privacera_dynamodbAdd New Policy.

    3. Enter the details.

      • Policy Name: DynamodbPolicy

      • Table: * 

      • Attribute: * (Note: Column with * also works for Ex. *ssn)

      • Under Allow Conditions, click '+' and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Read

  2. From a terminal prompt, execute the following command to list tables.

    aws dynamodb list-tables
    

    The user will be able to see the list of tables.

PutItem Table Query#

Enable a user to write data to a DynamoDB table.

  1. Create an Access Management policy to give the user WRITE permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. Click privacera_dynamodbAdd New Policy.

    3. Enter the details.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *                                

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Write

  2. From a terminal prompt, execute the following command.

    aws dynamodb put-item --table-name customer_data --item '{"id": {"S": "149"},"cust_name": {"S": "Joshua"},"ssn":{"S":"259636168"}, "email_address":{"S":"garybutler@gmail.com"}, "address":{"S":"70448 Scott Ranch Suite 312"}}' --return-consumed-capacity TOTAL
    

    The user can write items to the table.

PutItems Table Query#

Give a user permission to write items to a DynamoDB table.

  1. Download the sample data to put in the table.
    wget https://privacera-demo.s3.amazonaws.com/public/sample\_data/dynamodb/customer\_data.json
    
  1. Create an Access Manager policy to give the user Write permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. On the Resource Policies page, go to privacera_dynamodb and then click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Write

  2. Run a batch write query.

     aws dynamodb batch-write-item --request-items file://customer\_data.json
    

    The user can write multiple objects to the table.

Select Table Queries#

Give a user permission to read from a DynamoDB table.

  1. Create an Access Management policy to give the user READ permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. In privacera_dynamodb click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: id, name, email_address, ssn

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Read

  2. From a terminal prompt, execute a read query.

    aws dynamodb query --table-name customer_data  --projection-expression "id, cust_name, email_address, address" --key-condition-expression "id = :a1" --expression-attribute-values '{":a1": {"S": "149"}}'
    

    The user can now read from the table.

GetItem/Scan Table Query#

Give a user permission to get or scan files from a DynamoDB table.

  1. Create an Access Manager policy to give the user READ permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' icon and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Read

  2. From a terminal prompt, execute a get or scan query.

    aws dynamodb get-item --table-name customer_data --key '{"id": {"S": "149"},"cust_name": {"S": "Joshua"}}'
    

    Or

    aws dynamodb scan --table-name customer\_data
    

    The user can get and scan items from the DynamoDB table.

DeleteItem Table Query#

Give a user permission to delete items from a DynamoDB table.

  1. Create an Access Management policy to give the user DELETE permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' and select:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Delete

  2. From a terminal prompt, delete an item.

    aws dynamodb delete-item --table-name customer_data --key '{"id": {"S": "149"},"cust_name": {"S": "Joshua"}}'
    

    The user can delete items. 

Delete Table Query#

Give a user permission to delete a DynamoDB table.

  1. Create an Access Management policy to give the user DELETE permission.

    1. From the Privacera Platform home page, click Access Management > Resource Policies.

    2. In the privacera_dynamodb pane, click Add New Policy.

    3. Configure the policy.

      • Policy Name: DynamodbPolicy

      • Table: customer_data

      • Attribute: *

      • Under Allow Conditions, click '+' icon and select the below:

        • User: User’s username to which you want to allow access.

        • Add Permission as: Delete

  2. From a terminal prompt, delete a table.

    aws dynamodb delete-table --table-name customer\_data
    

    The user can delete a DynamoDB table.


Last update: July 23, 2021