AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-05-22 · Documentation medium

File: cli/v1/userguide/bash_iam_code_examples.md

Summary

Added new scenarios for ABAC implementation in DynamoDB and DynamoDB Streams/TTL management

Security assessment

The ABAC scenario demonstrates security-focused IAM policy creation using attribute-based access control, which is a security feature. However, there's no indication this addresses a specific vulnerability - it's proactive security guidance. The DynamoDB Streams/TTL section shows operational features without explicit security context.

Diff

diff --git a/cli/v1/userguide/bash_iam_code_examples.md b/cli/v1/userguide/bash_iam_code_examples.md
index 403668529..bba3bfd3c 100644
--- a//cli/v1/userguide/bash_iam_code_examples.md
+++ b//cli/v1/userguide/bash_iam_code_examples.md
@@ -5 +5 @@
-BasicsActions
+BasicsActionsScenarios
@@ -16,0 +17,2 @@ _Actions_ are code excerpts from larger programs and must be run in context. Whi
+_Scenarios_ are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services.
+
@@ -24,0 +27,2 @@ Each example includes a link to the complete source code, where you can find ins
+  * Scenarios
+
@@ -2520,0 +2525,312 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+## Scenarios
+
+The following code example shows how to implement Attribute-Based Access Control (ABAC) for DynamoDB.
+
+  * Create an IAM policy for ABAC.
+
+  * Create tables with tags for different departments.
+
+  * List and filter tables based on tags.
+
+
+
+
+**AWS CLI with Bash script**
+    
+
+Create an IAM policy for ABAC.
+    
+    
+    # Step 1: Create a policy document for ABAC
+    cat > abac-policy.json << 'EOF'
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "dynamodb:GetItem",
+            "dynamodb:BatchGetItem",
+            "dynamodb:Query",
+            "dynamodb:Scan"
+          ],
+          "Resource": "arn:aws:dynamodb:*:*:table/*",
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}"
+            }
+          }
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "dynamodb:PutItem",
+            "dynamodb:UpdateItem",
+            "dynamodb:DeleteItem",
+            "dynamodb:BatchWriteItem"
+          ],
+          "Resource": "arn:aws:dynamodb:*:*:table/*",
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}",
+              "aws:ResourceTag/Environment": "Development"
+            }
+          }
+        }
+      ]
+    }
+    EOF
+    
+    # Step 2: Create the IAM policy
+    aws iam create-policy \
+        --policy-name DynamoDBDepartmentBasedAccess \
+        --policy-document file://abac-policy.json
+    
+    
+
+Create tables with tags for different departments.
+    
+    
+    # Create a DynamoDB table with tags for ABAC
+    aws dynamodb create-table \
+        --table-name FinanceData \
+        --attribute-definitions \
+            AttributeName=RecordID,AttributeType=S \
+        --key-schema \
+            AttributeName=RecordID,KeyType=HASH \
+        --billing-mode PAY_PER_REQUEST \
+        --tags \
+            Key=Department,Value=Finance \
+            Key=Environment,Value=Development
+    
+    # Create another table with different tags
+    aws dynamodb create-table \
+        --table-name MarketingData \
+        --attribute-definitions \
+            AttributeName=RecordID,AttributeType=S \
+        --key-schema \
+            AttributeName=RecordID,KeyType=HASH \
+        --billing-mode PAY_PER_REQUEST \
+        --tags \
+            Key=Department,Value=Marketing \
+            Key=Environment,Value=Production
+    
+    
+
+List and filter tables based on tags.
+    
+    
+    # List all DynamoDB tables
+    echo "Listing all tables:"
+    aws dynamodb list-tables
+    
+    # Get ARNs for all tables
+    echo -e "\nGetting ARNs for all tables:"
+    TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text)
+    
+    # For each table ARN, list its tags
+    echo -e "\nListing tags for each table:"
+    for ARN in $TABLE_ARNS; do
+        TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}')
+        echo -e "\nTags for table: $TABLE_NAME"
+        aws dynamodb list-tags-of-resource --resource-arn $ARN
+    done
+    
+    # Example: Find tables with a specific tag
+    echo -e "\nFinding tables with Environment=Production tag:"
+    for ARN in $TABLE_ARNS; do
+        TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}')
+        TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text)
+        if [ ! -z "$TAGS" ]; then
+            echo "Table with Production tag: $TABLE_NAME"
+        fi
+    done
+    
+    
+
+  * For API details, see the following topics in _AWS CLI Command Reference_.
+
+    * [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)
+
+    * [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable)
+
+    * [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables)
+
+
+
+
+The following code example shows how to manage DynamoDB Streams and Time-to-Live features.
+
+  * Create a table with Streams enabled.
+
+  * Describe Streams.
+
+  * Create a Lambda function for processing Streams.
+
+  * Enable TTL on a table.
+
+  * Add items with TTL attributes.
+
+  * Describe TTL settings.
+
+
+
+
+**AWS CLI with Bash script**
+    
+
+Create a table with Streams enabled.
+    
+    
+    # Create a table with DynamoDB Streams enabled
+    aws dynamodb create-table \
+        --table-name StreamsDemo \
+        --attribute-definitions \
+            AttributeName=ID,AttributeType=S \
+        --key-schema \
+            AttributeName=ID,KeyType=HASH \
+        --billing-mode PAY_PER_REQUEST \
+        --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
+    
+    
+
+Describe Streams.
+    
+    
+    # Get information about the stream
+    aws dynamodb describe-table \
+        --table-name StreamsDemo \
+        --query "Table.StreamSpecification"
+    
+    # Get the stream ARN
+    STREAM_ARN=$(aws dynamodb describe-table \
+        --table-name StreamsDemo \
+        --query "Table.LatestStreamArn" \
+        --output text)
+