AWS code-library high security documentation change
Summary
Added new scenarios for implementing ABAC in DynamoDB and managing DynamoDB Streams/TTL features, including IAM policy creation, resource tagging, and secure Lambda integration.
Security assessment
The ABAC scenario explicitly adds security documentation for attribute-based access control using IAM policies with tag conditions. This implements granular security controls to prevent unauthorized access to DynamoDB resources based on principal/resource tags - a core security mechanism. The DynamoDB Streams section includes IAM role creation with least-privilege permissions (AWSLambdaDynamoDBExecutionRole), which is security-relevant but more operational in nature.
Diff
diff --git a/code-library/latest/ug/bash_2_iam_code_examples.md b/code-library/latest/ug/bash_2_iam_code_examples.md index 5edf2e750..207ddf443 100644 --- a//code-library/latest/ug/bash_2_iam_code_examples.md +++ b//code-library/latest/ug/bash_2_iam_code_examples.md @@ -5 +5 @@ -BasicsActions +BasicsActionsScenarios @@ -16,0 +17,2 @@ _Actions_ are code excerpts from larger programs and must be run in context. Whi +_Scenarios_ are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. + @@ -24,0 +27,2 @@ Each example includes a link to the complete source code, where you can find ins + * Scenarios + @@ -2520,0 +2525,312 @@ There's more on GitHub. Find the complete example and learn how to set up and ru +## Scenarios + +The following code example shows how to implement Attribute-Based Access Control (ABAC) for DynamoDB. + + * Create an IAM policy for ABAC. + + * Create tables with tags for different departments. + + * List and filter tables based on tags. + + + + +**AWS CLI with Bash script** + + +Create an IAM policy for ABAC. + + + # Step 1: Create a policy document for ABAC + cat > abac-policy.json << 'EOF' + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetItem", + "dynamodb:BatchGetItem", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Resource": "arn:aws:dynamodb:*:*:table/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:BatchWriteItem" + ], + "Resource": "arn:aws:dynamodb:*:*:table/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}", + "aws:ResourceTag/Environment": "Development" + } + } + } + ] + } + EOF + + # Step 2: Create the IAM policy + aws iam create-policy \ + --policy-name DynamoDBDepartmentBasedAccess \ + --policy-document file://abac-policy.json + + + +Create tables with tags for different departments. + + + # Create a DynamoDB table with tags for ABAC + aws dynamodb create-table \ + --table-name FinanceData \ + --attribute-definitions \ + AttributeName=RecordID,AttributeType=S \ + --key-schema \ + AttributeName=RecordID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --tags \ + Key=Department,Value=Finance \ + Key=Environment,Value=Development + + # Create another table with different tags + aws dynamodb create-table \ + --table-name MarketingData \ + --attribute-definitions \ + AttributeName=RecordID,AttributeType=S \ + --key-schema \ + AttributeName=RecordID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --tags \ + Key=Department,Value=Marketing \ + Key=Environment,Value=Production + + + +List and filter tables based on tags. + + + # List all DynamoDB tables + echo "Listing all tables:" + aws dynamodb list-tables + + # Get ARNs for all tables + echo -e "\nGetting ARNs for all tables:" + TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text) + + # For each table ARN, list its tags + echo -e "\nListing tags for each table:" + for ARN in $TABLE_ARNS; do + TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') + echo -e "\nTags for table: $TABLE_NAME" + aws dynamodb list-tags-of-resource --resource-arn $ARN + done + + # Example: Find tables with a specific tag + echo -e "\nFinding tables with Environment=Production tag:" + for ARN in $TABLE_ARNS; do + TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') + TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text) + if [ ! -z "$TAGS" ]; then + echo "Table with Production tag: $TABLE_NAME" + fi + done + + + + * For API details, see the following topics in _AWS CLI Command Reference_. + + * [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + + * [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + + * [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables) + + + + +The following code example shows how to manage DynamoDB Streams and Time-to-Live features. + + * Create a table with Streams enabled. + + * Describe Streams. + + * Create a Lambda function for processing Streams. + + * Enable TTL on a table. + + * Add items with TTL attributes. + + * Describe TTL settings. + + + + +**AWS CLI with Bash script** + + +Create a table with Streams enabled. + + + # Create a table with DynamoDB Streams enabled + aws dynamodb create-table \ + --table-name StreamsDemo \ + --attribute-definitions \ + AttributeName=ID,AttributeType=S \ + --key-schema \ + AttributeName=ID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES + + + +Describe Streams. + + + # Get information about the stream + aws dynamodb describe-table \ + --table-name StreamsDemo \ + --query "Table.StreamSpecification" + + # Get the stream ARN + STREAM_ARN=$(aws dynamodb describe-table \ + --table-name StreamsDemo \ + --query "Table.LatestStreamArn" \ + --output text) +