如何控制用户通过IAM对Amazon DynamoDB数据的访问？ [英] How can I control user access to Amazon DynamoDB data via IAM?

问题描述

AWS身份和访问管理（IAM）提供一种方法，使用户只能编辑还是删除他之前添加的 Amazon DynamoDB 表中的项目？

Does AWS Identity and Access Management (IAM) provide a way so that a user can only edit or delete the items in an Amazon DynamoDB table he added before?

推荐答案

在AWS添加用于Amazon DynamoDB的细粒度访问控制，它有助于 AWS 身份和访问管理（IAM）策略，用于限制对DynamoDB表中存储的项目和属性的访问。

This became possible after AWS added Fine-Grained Access Control for Amazon DynamoDB, which facilitates AWS Identity and Access Management (IAM) policies to regulate access to items and attributes stored in DynamoDB tables.

介绍性博客文章说明了此功能的出色粒度，并简化了许多实际使用案例：

The introductory blog post illustrates the outstanding granularity of this feature and resulting simplifications for many real world use cases:

• 水平-您可以有选择地隐藏或显示特定通过匹配哈希键值来匹配特定表中的DynamoDB项目


• 垂直-您可以有选择地隐藏或公开所有数据库的特定属性通过匹配属性名称


• 组合在特定表中的DynamoDB项目-您可以在同一策略中执行水平和垂直控制

• Horizontal - You can selectively hide or expose specific DynamoDB items in a particular table by matching on hash key values
• Vertical - You can selectively hide or expose specific attributes of all of the DynamoDB items in a particular table by matching on attribute names
• Combined - You can exercise horizontal and vertical control in the same policy

请参见用于Amazon DynamoDB的细粒度访问控制，详细了解此功能，以确定谁可以访问Amazon DynamoDB表和索引中的单个数据项和属性，以及

See Fine-Grained Access Control for Amazon DynamoDB for further details on this ability to determine who can access individual data items and attributes in Amazon DynamoDB tables and indexes, and the actions that can be performed on them.

• 这还包括一个具体示例，该示例如何将用户ID包含在主要对象中 Amazon DynamoDB 表的键和隐藏信息b通过适当的 IAM条件 a>此后基于主叫用户。

• This also includes a concrete example how to include the user id in the primary key of an Amazon DynamoDB table and hiding information both horizontally and vertically via an appropriate IAM Condition thereafter based on the calling user.

在Werner Vogels的使用DynamoDB的细粒度访问控制简化移动应用程序数据管理：

The far reaching scope/impact of this new functionality is also stressed in Werner Vogels' Simplifying Mobile App Data Management with DynamoDB's Fine-Grained Access Control:

使用精细粒度的访问控制，我们使您能够编写访问策略来解决此问题，访问策略包括描述其他级别的过滤和控制的条件。这样就无需使用代理层，简化了应用程序堆栈，并节省了成本。

With Fine-Grained Access Control, we solve this problem by enabling you to author access policies that include conditions that describe additional levels of filtering and control. This eliminates the need for the proxy layer, simplifies the application stack, and results in cost savings.

[...]

随着今天的发布，在移动设备上运行的应用程序可以将工作负载发送到DynamoDB表，行甚至列，而无需经过中间代理层。 [...]此功能允许在移动设备上运行的应用仅修改属于特定用户的行。此外，通过将用户数据整合到DynamoDB表中，您可以大规模获得整个用户群的实时见解，而无需进行昂贵的联接和批处理方法（例如分散/收集）。

With today’s launch, apps running on mobile devices can send workloads to a DynamoDB table, row, or even a column without going through an intervening proxy layer. [...] This capability allows apps running on mobile devices to modify only rows belonging to a specific user. Also, by consolidating users’ data in a DynamoDB table, you can obtain real-time insights over the user base, at large scale, without going through expensive joins and batch approaches such as scatter / gather.

这篇关于如何控制用户通过IAM对Amazon DynamoDB数据的访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！