Allow a DynamoDB User to modify a subset of documents -
how can create policy in dynamodb, allows corresponding iam users modify subset of documents in table?
for example, let's there attribute published
, , want iam user perform putitem , updateitem on documents have published: false
.
you can use dynamodb fine-grained access control on hash key value. save item "draft" pre-pended hash-key value , use following policy:
{ "version": "2012-10-17", "statement": [ { "effect": "allow", "action": [ "dynamodb:updateitem", ], "resource": [ "arn:aws:dynamodb:region:account_number:table/table_name" ], "condition": { "forallvalues:stringlike": { "dynamodb:leadingkeys": ["draft*"], } } } ] }
adapted https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/fgac_ddb.html
Comments
Post a Comment