You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
DynamoDB provides multiple layers of security, from IAM-based access control to encryption at rest and in transit. This lesson covers how to secure your DynamoDB tables, control access with fine-grained permissions, and protect data in compliance-sensitive environments.
All access to DynamoDB is controlled through AWS Identity and Access Management (IAM):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/Orders"
}
]
}
| Action | Description |
|---|---|
dynamodb:GetItem | Read a single item |
dynamodb:PutItem | Write a single item |
dynamodb:UpdateItem | Update a single item |
dynamodb:DeleteItem | Delete a single item |
dynamodb:Query | Query items in a table or index |
dynamodb:Scan | Scan an entire table or index |
dynamodb:BatchGetItem | Batch read items |
dynamodb:BatchWriteItem | Batch write items |
dynamodb:CreateTable | Create a table |
dynamodb:DeleteTable | Delete a table |
dynamodb:DescribeTable | View table metadata |
dynamodb:UpdateTable | Modify table settings |
DynamoDB supports condition keys in IAM policies to restrict access at the item and attribute level:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/UserData",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"\${aws:PrincipalTag/UserId}"
]
}
}
}
]
}
This policy ensures users can only access items where the partition key matches their own UserId tag.
{
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"UserId", "Name", "Email"
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
This restricts the user to only reading or writing the specified attributes.
DynamoDB encrypts all data at rest by default. You cannot disable encryption. Three key management options are available:
| Option | Description | Cost |
|---|---|---|
| AWS owned keys | Default; AWS manages the keys entirely | Free |
| AWS managed key (aws/dynamodb) | Visible in KMS; automatic rotation | KMS charges |
| Customer managed key (CMK) | You create and manage the key in KMS | KMS charges |
aws dynamodb update-table \
--table-name MyTable \
--sse-specification \
Enabled=true,SSEType=KMS,KMSMasterKeyId=alias/my-key
All communication with DynamoDB uses HTTPS (TLS). There is no option to disable TLS — all API calls are encrypted in transit.
By default, DynamoDB API calls travel over the public internet (even from within a VPC). A VPC Gateway Endpoint keeps traffic on the AWS private network:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-abc123 \
--service-name com.amazonaws.eu-west-1.dynamodb \
--route-table-ids rtb-abc123
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.