AWS cli documentation change
Summary
Added new scenarios for ABAC implementation in DynamoDB and DynamoDB Streams/TTL management
Security assessment
The ABAC scenario demonstrates security-focused IAM policy creation using attribute-based access control, which is a security feature. However, there's no indication this addresses a specific vulnerability - it's proactive security guidance. The DynamoDB Streams/TTL section shows operational features without explicit security context.
Diff
diff --git a/cli/v1/userguide/bash_iam_code_examples.md b/cli/v1/userguide/bash_iam_code_examples.md index 403668529..bba3bfd3c 100644 --- a//cli/v1/userguide/bash_iam_code_examples.md +++ b//cli/v1/userguide/bash_iam_code_examples.md @@ -5 +5 @@ -BasicsActions +BasicsActionsScenarios @@ -16,0 +17,2 @@ _Actions_ are code excerpts from larger programs and must be run in context. Whi +_Scenarios_ are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. + @@ -24,0 +27,2 @@ Each example includes a link to the complete source code, where you can find ins + * Scenarios + @@ -2520,0 +2525,312 @@ There's more on GitHub. Find the complete example and learn how to set up and ru +## Scenarios + +The following code example shows how to implement Attribute-Based Access Control (ABAC) for DynamoDB. + + * Create an IAM policy for ABAC. + + * Create tables with tags for different departments. + + * List and filter tables based on tags. + + + + +**AWS CLI with Bash script** + + +Create an IAM policy for ABAC. + + + # Step 1: Create a policy document for ABAC + cat > abac-policy.json << 'EOF' + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetItem", + "dynamodb:BatchGetItem", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Resource": "arn:aws:dynamodb:*:*:table/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:BatchWriteItem" + ], + "Resource": "arn:aws:dynamodb:*:*:table/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}", + "aws:ResourceTag/Environment": "Development" + } + } + } + ] + } + EOF + + # Step 2: Create the IAM policy + aws iam create-policy \ + --policy-name DynamoDBDepartmentBasedAccess \ + --policy-document file://abac-policy.json + + + +Create tables with tags for different departments. + + + # Create a DynamoDB table with tags for ABAC + aws dynamodb create-table \ + --table-name FinanceData \ + --attribute-definitions \ + AttributeName=RecordID,AttributeType=S \ + --key-schema \ + AttributeName=RecordID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --tags \ + Key=Department,Value=Finance \ + Key=Environment,Value=Development + + # Create another table with different tags + aws dynamodb create-table \ + --table-name MarketingData \ + --attribute-definitions \ + AttributeName=RecordID,AttributeType=S \ + --key-schema \ + AttributeName=RecordID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --tags \ + Key=Department,Value=Marketing \ + Key=Environment,Value=Production + + + +List and filter tables based on tags. + + + # List all DynamoDB tables + echo "Listing all tables:" + aws dynamodb list-tables + + # Get ARNs for all tables + echo -e "\nGetting ARNs for all tables:" + TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text) + + # For each table ARN, list its tags + echo -e "\nListing tags for each table:" + for ARN in $TABLE_ARNS; do + TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') + echo -e "\nTags for table: $TABLE_NAME" + aws dynamodb list-tags-of-resource --resource-arn $ARN + done + + # Example: Find tables with a specific tag + echo -e "\nFinding tables with Environment=Production tag:" + for ARN in $TABLE_ARNS; do + TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') + TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text) + if [ ! -z "$TAGS" ]; then + echo "Table with Production tag: $TABLE_NAME" + fi + done + + + + * For API details, see the following topics in _AWS CLI Command Reference_. + + * [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + + * [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + + * [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables) + + + + +The following code example shows how to manage DynamoDB Streams and Time-to-Live features. + + * Create a table with Streams enabled. + + * Describe Streams. + + * Create a Lambda function for processing Streams. + + * Enable TTL on a table. + + * Add items with TTL attributes. + + * Describe TTL settings. + + + + +**AWS CLI with Bash script** + + +Create a table with Streams enabled. + + + # Create a table with DynamoDB Streams enabled + aws dynamodb create-table \ + --table-name StreamsDemo \ + --attribute-definitions \ + AttributeName=ID,AttributeType=S \ + --key-schema \ + AttributeName=ID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES + + + +Describe Streams. + + + # Get information about the stream + aws dynamodb describe-table \ + --table-name StreamsDemo \ + --query "Table.StreamSpecification" + + # Get the stream ARN + STREAM_ARN=$(aws dynamodb describe-table \ + --table-name StreamsDemo \ + --query "Table.LatestStreamArn" \ + --output text) +