DynamoDB Fine-Grained Access Control and secondary indexes

3
votes

So, I am currently making a DynamoDB table with multiple indexes and trying to manage access control.

I have a key (organizationId) that I do not want to use as my secondary indexes partition or sort key, because it would be pretty much pointless query-wise.

DynamoDB table

  • Table name: Executions
  • Partition key: OrganizationId (String)

DynamoDB Secondary Index

  • Primary partition key: processId (String)
  • Primary sort key: status (Number)

Would the following IAM Policy condition effectively limit access on the secondary index based on the organizationId ?

"Condition": {
    "ForAllValues:StringEquals": {
        "dynamodb:LeadingKeys": [
            "anOrganizationId / Variable"
        ]
    }
}
2
amazon-web-servicesamazon-dynamodbamazon-iam
Did you solve this?ArielB
No; I've pretty much given upElFitz
i think i solved it, added a comment if you'd like to tryArielB

2 Answers

0
votes

Ok, what i can suggest - you could actually do the 2nd index as "OrganizationId#processId" - the organization ID should be always known when searching - as you plan i guess to search of all items within an organization with specific process ID?

This should work out for you (on the index, not the table)

"Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": "${aws:PrincipalTag/organizationId}#*"
                },

if i'm assuming the tag is with the org id

-1
votes

following permissions policy allows queries on a secondary index (here example index name: TopScoreDateTimeIndex) by using the dynamodb:Attributes condition key. The policy also limits queries to requesting only specific attributes that have been projected into the index. Please pay attention at Resource and Condition section 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "QueryOnlyProjectedIndexAttributes",
            "Effect": "Allow",
            "Action": [
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores/index/TopScoreDateTimeIndex"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:Attributes": [
                        "TopScoreDateTime",
                        "GameTitle",
                        "Wins",
                        "Losses",
                        "Attempts"
                    ]
                },
                "StringEquals": {
                    "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
                }
            }
        }
    ]
}