如何通过 IAM 控制用户对 Amazon DynamoDB 数据的访问? [英] How can I control user access to Amazon DynamoDB data via IAM?

问题描述

AWS Identity and Access Management (IAM) 是否提供了一种方式，使用户只能编辑还是删除他之前添加的 Amazon DynamoDB 表中的项目?

Does AWS Identity and Access Management (IAM) provide a way so that a user can only edit or delete the items in an Amazon DynamoDB table he added before?

推荐答案

这在 AWS 添加后成为可能 Amazon DynamoDB 的精细访问控制，这有助于 AWS 身份和访问管理 (IAM) 策略来规范对存储在 DynamoDB 表中的项目和属性的访问.

This became possible after AWS added Fine-Grained Access Control for Amazon DynamoDB, which facilitates AWS Identity and Access Management (IAM) policies to regulate access to items and attributes stored in DynamoDB tables.

介绍性博客文章说明了此功能的出色粒度以及对许多实际用例的简化:

The introductory blog post illustrates the outstanding granularity of this feature and resulting simplifications for many real world use cases:

• 水平 - 您可以通过匹配哈希键值来选择性地隐藏或公开特定表中的特定 DynamoDB 项目
• 垂直 - 您可以通过匹配属性名称有选择地隐藏或公开特定表中所有 DynamoDB 项目的特定属性
• 组合 - 您可以在同一策略中进行横向和纵向控制

• Horizontal - You can selectively hide or expose specific DynamoDB items in a particular table by matching on hash key values
• Vertical - You can selectively hide or expose specific attributes of all of the DynamoDB items in a particular table by matching on attribute names
• Combined - You can exercise horizontal and vertical control in the same policy

请参阅 Amazon DynamoDB 的细粒度访问控制了解关于这种能够确定谁可以访问 Amazon DynamoDB 表和索引中的单个数据项和属性以及可以对它们执行的操作的能力的更多详细信息.

See Fine-Grained Access Control for Amazon DynamoDB for further details on this ability to determine who can access individual data items and attributes in Amazon DynamoDB tables and indexes, and the actions that can be performed on them.

• 这还包括一个具体示例，如何在 Amazon DynamoDB 通过适当的 水平和垂直隐藏信息"noreferrer">IAM 条件 此后基于调用用户.

• This also includes a concrete example how to include the user id in the primary key of an Amazon DynamoDB table and hiding information both horizontally and vertically via an appropriate IAM Condition thereafter based on the calling user.

Werner Vogels 的 使用 DynamoDB 的细粒度访问控制简化移动应用数据管理:

The far reaching scope/impact of this new functionality is also stressed in Werner Vogels' Simplifying Mobile App Data Management with DynamoDB's Fine-Grained Access Control:

借助细粒度访问控制，我们可以解决此问题，让您可以编写包含描述额外过滤和控制级别的条件的访问策略.这消除了对代理层的需求，简化了应用程序堆栈，并节省了成本.

With Fine-Grained Access Control, we solve this problem by enabling you to author access policies that include conditions that describe additional levels of filtering and control. This eliminates the need for the proxy layer, simplifies the application stack, and results in cost savings.

[...]

随着今天的发布，在移动设备上运行的应用程序可以将工作负载发送到 DynamoDB 表、行甚至列，而无需通过中间代理层.[...] 此功能允许在移动设备上运行的应用程序仅修改属于特定用户的行.此外，通过将用户数据整合到 DynamoDB 表中，您可以获得大规模用户群的实时洞察，而无需通过分散/聚集等昂贵的联接和批处理方法.

With today’s launch, apps running on mobile devices can send workloads to a DynamoDB table, row, or even a column without going through an intervening proxy layer. [...] This capability allows apps running on mobile devices to modify only rows belonging to a specific user. Also, by consolidating users’ data in a DynamoDB table, you can obtain real-time insights over the user base, at large scale, without going through expensive joins and batch approaches such as scatter / gather.

这篇关于如何通过 IAM 控制用户对 Amazon DynamoDB 数据的访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！