Dynamodb 简明教程

DynamoDB - Conditions

在授予权限时,DynamoDB 允许通过详细的 IAM 策略(带条件键)为这些权限指定条件。这支持诸如对特定项目和属性的访问之类的设置。

In granting permissions, DynamoDB allows specifying conditions for them through a detailed IAM policy with condition keys. This supports settings like access to specific items and attributes.

Note − DynamoDB 不支持任何标记。

Note − The DynamoDB does not support any tags.

Detailed Control

几个条件允许进行到项目和属性的特定性,例如基于用户账户授予对特定项目的只读访问权限。实施此级别控制的条件化 IAM 策略管理安全凭证。然后再将策略应用到所需的使用者、组和角色上。Web Identity Federation(将在后面讨论该主题)也提供了一种方法,可以通过 Amazon、Facebook 和 Google 登录来控制用户访问。

Several conditions allow specificity down to items and attributes like granting read-only access to specific items based on user account. Implement this level of control with conditioned IAM policies, which manages the security credentials. Then simply apply the policy to the desired users, groups, and roles. Web Identity Federation, a topic discussed later, also provides a way to control user access through Amazon, Facebook, and Google logins.

IAM 策略的条件元素实施访问控制。您只需将其添加到一项策略中即可。它一个使用示例包括拒绝或允许对数据表项目和属性的访问。条件元素还可以使用条件键来限制权限。

The condition element of IAM policy implements access control. You simply add it to a policy. An example of its use consists of denying or permitting access to table items and attributes. The condition element can also employ condition keys to limit permissions.

您可以查看条件键的以下两个示例 −

You can review the following two examples of the condition keys −

  1. dynamodb:LeadingKeys − It prevents the item access by users without an ID matching the partition key value.

  2. dynamodb:Attributes − It prevents users from accessing or operating on attributes outside of those listed.

在评估时,IAM 策略会导致值为真或假。如果任何部分评估为假,则整个策略评估为假,从而导致拒绝访问。务必在条件键中指定所有所需信息,以确保用户具有适当的访问权限。

On evaluation, IAM policies result in a true or false value. If any part evaluates to false, the whole policy evaluates to false, which results in denial of access. Be sure to specify all required information in condition keys to ensure users have appropriate access.

Predefined Condition Keys

AWS 提供了一组适用于所有服务的预定义条件键。它们支持广泛的用途,并能详细检查用户和访问权限。

AWS offers a collection of predefined condition keys, which apply to all services. They support a broad range of uses and fine detail in examining users and access.

Note − 条件键区分大小写。

Note − There is case sensitivity in condition keys.

你可以查看以下特定于服务的部分键的选项 −

You can review a selection of the following service-specific keys −

  1. dynamodb:LeadingKey − It represents a table’s first key attribute; the partition key. Use the ForAllValues modifier in conditions.

  2. dynamodb:Select − It represents a query/scan request Select parameter. It must be of the value ALL_ATTRIBUTES, ALL_PROJECTED_ATTRIBUTES, SPECIFIC_ATTRIBUTES, or COUNT.

  3. dynamodb:Attributes − It represents an attribute name list within a request, or attributes returned from a request. Its values and their functions resemble API action parameters, e.g., BatchGetItem uses AttributesToGet.

  4. dynamodb:ReturnValues − It represents a requests’ ReturnValues parameter, and can use these values: ALL_OLD, UPDATED_OLD, ALL_NEW, UPDATED_NEW, and NONE.

  5. dynamodb:ReturnConsumedCapacity − It represents a request’s ReturnConsumedCapacity parameter, and can use these values: TOTAL and NONE.