Dynamodb 简明教程

DynamoDB - Access Control

DynamoDB 使用您提供用于验证请求的凭证。这些凭证是必需的并且必须包括 AWS 资源访问权限。这些权限跨越 DynamoDB 的几乎每个方面,直到操作或功能的次要特征。

DynamoDB uses credentials you provide to authenticate requests. These credentials are required and must include permissions for AWS resource access. These permissions span virtually every aspect of DynamoDB down to the minor features of an operation or functionality.

Types of Permissions

在本节中,我们将讨论 DynamoDB 中的各种权限和资源访问。

In this section, we will discuss regarding the various permissions and resource access in DynamoDB.

Authenticating Users

在注册时,您提供了一个密码和电子邮件,它们作为根凭证。DynamoDB 将此数据与您的 AWS 帐户相关联,并使用它来授予对所有资源的完全访问权限。

On signup, you provided a password and email, which serve as root credentials. DynamoDB associates this data with your AWS account, and uses it to give complete access to all resources.

AWS 建议您仅将根凭证用于创建管理帐户。这允许您创建具有较少权限的 IAM 帐户/用户。IAM 用户是使用 IAM 服务衍生的其他帐户。他们的访问权限/特权包括访问安全页面和某些自定义权限,如表修改。

AWS recommends you use your root credentials only for the creation of an administration account. This allows you to create IAM accounts/users with less privileges. IAM users are other accounts spawned with the IAM service. Their access permissions/privileges include access to secure pages and certain custom permissions like table modification.

访问密钥为其他帐户和访问提供了另一个选项。使用它们来授予访问权限,并且在某些情况下还可以避免手动授予访问权限。联合用户通过允许通过身份提供程序进行访问,提供了另一种选择。

The access keys provide another option for additional accounts and access. Use them to grant access, and also to avoid manual granting of access in certain situations. Federated users provide yet another option by allowing access through an identity provider.

Administration

AWS 资源仍归帐户所有。权限策略管理授予生成或访问资源的权限。管理员将权限策略与 IAM 身份相关联,这意味着角色、组、用户和服务。他们还将权限附加到资源。

AWS resources remain under ownership of an account. Permissions policies govern the permissions granted to spawn or access resources. Administrators associate permissions policies with IAM identities, meaning roles, groups, users, and services. They also attach permissions to resources.

权限指定用户、资源和操作。注意,管理员只是具有管理员权限的帐户。

Permissions specify users, resources, and actions. Note administrators are merely accounts with administrator privileges.

Operation and Resources

表仍然是 DynamoDB 中的主要资源。子资源作为附加资源,例如流和索引。这些资源使用唯一名称,其中一些名称在以下表中提及:

Tables remain the main resources in DynamoDB. Subresources serve as additional resources, e.g., streams and indices. These resources use unique names, some of which are mentioned in the following table −

Type

ARN (Amazon Resource Name)

Stream

arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label

Index

arn:aws:dynamodb:region:account-id:table/table-name/index/index-name

Table

arn:aws:dynamodb:region:account-id:table/table-name

Ownership

资源所有者被定义为生成资源的 AWS 帐户,或在资源创建中负责请求验证的负责人实体帐户。考虑它如何在 DynamoDB 环境中起作用:

A resource owner is defined as an AWS account which spawned the resource, or principal entity account responsible for request authentication in resource creation. Consider how this functions within the DynamoDB environment −

  1. In using root credentials to create a table, your account remains resource owner.

  2. In creating an IAM user and granting the user permission to create a table, your account remains the resource owner.

  3. In creating an IAM user and granting the user, and anyone capable of assuming the role, permission to create a table, your account remains the resource owner.

Manage Resource Access

访问管理主要需要关注描述用户和资源访问的权限策略。您将策略与 IAM 身份或资源相关联。但是,DynamoDB 仅支持 IAM/身份策略。

Management of access mainly requires attention to a permissions policy describing users and resource access. You associate policies with IAM identities or resources. However, DynamoDB only supports IAM/identity policies.

基于身份(IAM)的策略允许您以以下方式授予特权:

Identity-based (IAM) policies allow you to grant privileges in the following ways −

  1. Attach permissions to users or groups.

  2. Attach permissions to roles for cross-account permissions.

其他 AWS 允许基于资源的策略。这些策略允许访问诸如 S3 存储桶之类的资源。

Other AWS allow resource-based policies. These policies permit access to things like an S3 bucket.

Policy Elements

策略定义动作、效果、资源和主体;并授予执行这些操作的权限。

Policies define actions, effects, resources, and principals; and grant permission to perform these operations.

Note − API 操作可能需要针对多个动作的权限。

Note − The API operations may require permissions for multiple actions.

仔细查看以下策略元素−

Take a closer look at the following policy elements −

  1. Resource − An ARN identifies this.

  2. Action − Keywords identify these resource operations, and whether to allow or deny.

  3. Effect − It specifies the effect for a user request for an action, meaning allow or deny with denial as the default.

  4. Principal − This identifies the user attached to the policy.

Conditions

在授予权限时,您可以指定策略何时变为活动,例如在特定日期。使用条件键来表示条件,其中包括 AWS 系统范围键和 DynamoDB 键。这些键将在本教程的后面部分详细讨论。

In granting permissions, you can specify conditions for when policies become active such as on a particular date. Express conditions with condition keys, which include AWS systemwide keys and DynamoDB keys. These keys are discussed in detail later in the tutorial.

Console Permissions

用户需要某些基本权限才能使用控制台。他们还需要针对其他标准服务中的控制台的权限−

A user requires certain basic permissions to use the console. They also require permissions for the console in other standard services −

  1. CloudWatch

  2. Data Pipeline

  3. Identity and Access Management

  4. Notification Service

  5. Lambda

如果 IAM 策略证明过于有限,则用户将无法有效地使用控制台。另外,您不必担心仅调用 CLI 或 API 的那些用户的权限。

If the IAM policy proves too limited, the user cannot use the console effectively. Also, you do not need to worry about user permissions for those only calling the CLI or API.

Common Use Iam Policies

AWS 在具有独立的 IAM 管理策略的权限中涵盖了常见操作。它们提供了关键权限,使您无需深入研究自己必须授予的内容。

AWS covers common operations in permissions with standalone IAM managed policies. They provide key permissions allowing you to avoid deep investigations into what you must grant.

其中一些如下所示−

Some of them are as follows −

  1. AmazonDynamoDBReadOnlyAccess − It gives read-only access via the console.

  2. AmazonDynamoDBFullAccess − It gives full access via the console.

  3. AmazonDynamoDBFullAccesswithDataPipeline − It gives full access via the console and permits export/import with Data Pipeline.

您当然还可以制定自定义策略。

You can also ofcourse make custom policies.

Granting Privileges: Using The Shell

您可以使用 Javascript shell 授予权限。以下程序显示了典型的权限策略−

You can grant permissions with the Javascript shell. The following program shows a typical permissions policy −

{
   "Version": "2016-05-22",
   "Statement": [
      {
         "Sid": "DescribeQueryScanToolsTable",
         "Effect": "Deny",

         "Action": [
            "dynamodb:DescribeTable",
            "dynamodb:Query",
            "dynamodb:Scan"
         ],
         "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Tools"
      }
   ]
}

您可以查看以下三个示例−

You can review the three examples which are as follows −

Block the user from executing any table action.

Block the user from executing any table action.

{
   "Version": "2016-05-23",
   "Statement": [
      {
         "Sid": "AllAPIActionsOnTools",
         "Effect": "Deny",
         "Action": "dynamodb:*",
         "Resource": "arn:aws:dynamodb:us-west-2:155556789012:table/Tools"
      }
   ]
}

Block access to a table and its indices.

Block access to a table and its indices.

{
   "Version": "2016-05-23",
   "Statement": [
      {
         "Sid": "AccessAllIndexesOnTools",
         "Effect": "Deny",
         "Action": [
            "dynamodb:*"
         ],
         "Resource": [
            "arn:aws:dynamodb:us-west-2:155556789012:table/Tools",
            "arn:aws:dynamodb:us-west-2:155556789012:table/Tools/index/*"
         ]
      }
   ]
}

Block a user from making a reserved capacity offering purchase.

Block a user from making a reserved capacity offering purchase.

{
   "Version": "2016-05-23",
   "Statement": [
      {
         "Sid": "BlockReservedCapacityPurchases",
         "Effect": "Deny",
         "Action": "dynamodb:PurchaseReservedCapacityOfferings",
         "Resource": "arn:aws:dynamodb:us-west-2:155556789012:*"
      }
   ]
}

Granting Privileges: Using the GUI Console

您还可以使用 GUI 控制台来创建 IAM 政策。首先,从导航窗格中选择 Tables 。在数据表列表中,选择目标数据表并按照下列步骤进行操作。

You can also use the GUI console to create IAM policies. To begin with, choose Tables from the navigation pane. In the table list, choose the target table and follow these steps.

Step 1 − 选择 Access control 选项卡。

Step 1 − Select the Access control tab.

Step 2 − 选择身份验证提供程序、操作和策略属性。输入所有设置后,选择 Create policy

Step 2 − Select the identity provider, actions, and policy attributes. Select Create policy after entering all settings.

Step 3 − 选择 Attach policy instructions ,并完成每个必需步骤,以将策略与相应的 IAM 角色关联起来。

Step 3 − Choose Attach policy instructions, and complete each required step to associate the policy with the appropriate IAM role.