我的应用程序允许用户从浏览器直接访问DynamoDB。他们可以查看和编辑他们知道分区键(UUID)的任何记录。
我的问题是用户可以通过“编辑”不存在的分区键来创建新记录。有没有办法使用IAM策略来防止这种情况?
答案 0 :(得分:0)
You need to use AWS Cognito to build fine-grained Access Control to your DynamoDB Table.
You can do it with code with a Lambda, you need to write all the Authorization Logic in code.
Reference to fine-grained Authorization:
It also includes row-level authorization and as well as table level authorization, merged with AWS Cognito.
Hope it helps.
EDIT1:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/api-permissions-reference.html
dynamodb:PutItem will prevent users from updating dynamodb records.
Example Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToOnlyItemsMatchingUserID",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/TableName"
]
}
]
}
Gives all permission reference to create IAM policy to block users to create new records.
Conditional Update:
Edits an existing item's attributes, or adds a new item to the table if it does not already exist. You can put, delete, or add attribute values. You can also perform a conditional update on an existing item (insert a new attribute name-value pair if it doesn't exist, or replace an existing name-value pair if it has certain expected attribute values).
答案 1 :(得分:0)
您可以使用ConditionExpression仅在满足某些条件时进行更新。由于所有项目都必须具有哈希键(主键),因此可以使用ConditionExpression仅在哈希键存在的情况下进行更新,这仅适用于现有项目。因此,UpdateItem将仅更新现有项,而不会创建新项。
例如:
ConditionExpression: 'attribute_exists(myHashKey)'