Database Reference
In-Depth Information
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:235338895076:table/Employee"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys":
["${www.amazon.com:user_id}"],
"dynamodb:Attributes": [
"user_id", "emp_id", "email",
"company" , "salary" , "name"
]
},
"StringEqualsIfExists": {"dynamodb:Select":
"SPECIFIC_ATTRIBUTES"}
}
}
]
}
We have put in the following two conditions:
• To restrict users to access only their information, we have added a condition to
show the row information of the matching
user_id
only. Here,
user_id
is
fetched from the variable
www.amazon.com:user_id
that checks with web
identity federation user ID, that is, Amazon, Google, or Facebook's user ID. If it
matches, only then the matching row information will be displayed.
• To restrict users from accessing sensitive information such as performance rating,
we have added another condition to show only the given list of attributes to be
shown at any
get
call.
Here, the first condition allows us to implement horizontal restrictions, while the second
condition allows us to implement vertical access control. Again, to build the policy docu-
ment, you can use a policy generator UI provided by AWS.
