Data
Reader small image

You're reading from  DynamoDB Cookbook

Product typeBook
Published inSep 2015
Publisher
ISBN-139781784393755
Edition1st Edition
Tools
DynamoDB
Concepts
Databases
Right arrow
Author (1)
Tanmay Deshpande
Tanmay Deshpande
author image
Tanmay Deshpande

Tanmay Deshpande is a Hadoop and big data evangelist. He currently works with Schlumberger as a Big Data Architect in Pune, India. He has interest in a wide range of technologies, such as Hadoop, Hive, Pig, NoSQL databases, Mahout, Sqoop, Java, cloud computing, and so on. He has vast experience in application development in various domains, such as oil and gas, finance, telecom, manufacturing, security, and retail. He enjoys solving machine-learning problems and spends his time reading anything that he can get his hands on. He has great interest in open source technologies and has been promoting them through his talks. Before Schlumberger, he worked with Symantec, Lumiata, and Infosys. Through his innovative thinking and dynamic leadership, he has successfully completed various projects. He regularly blogs on his website http://hadooptutorials.co.in. You can connect with him on LinkedIn at https://www.linkedin.com/in/deshpandetanmay/. He has also authored Mastering DynamoDB, published in August 2014, DynamoDB Cookbook, published in September 2015, Hadoop Real World Solutions Cookbook-Second Edition, published in March 2016, Hadoop: Data Processing and Modelling, published in August, 2016, and Hadoop Blueprints, published in September 2016, all by Packt Publishing.
Read more about Tanmay Deshpande

Right arrow

Chapter 6. Securing DynamoDB

In this chapter, we will cover the following topics:

  • Creating users using AWS IAM

  • Creating a DynamoDB full access group using AWS IAM

  • Creating a DynamoDB read-only group using AWS IAM

  • Validating the DynamoDB access controls using the AWS IAM policy simulator

  • Creating the custom policy to allow the DynamoDB console access using AWS IAM

  • Creating a fine-grained access control policy using AWS IAM

  • Implementing the client-side encryption for the DynamoDB data

  • Implementing the client-side masking for the DynamoDB data

Introduction

In the previous chapter, we explored high-level programming interfaces for DynamoDB. In this chapter, we will impose security on DynamoDB. We will see how to manage the DynamoDB access controls, how to create security policies, and so on. It is very important to control the data access when you are using DynamoDB in production to avoid the misuse.

For all access controls on DynamoDB, we will use the AWS Identity and Access Management (IAM) service. AWS IAM provides you the facility to create user groups and use permissions to allow or deny their access to certain resources. As we go through the recipes, we will be able to explore AWS IAM in more detail.

Here is a link to read more on AWS IAM at https://aws.amazon.com/iam/.

Creating users using AWS IAM

To get started with the identity and access control, the first step is to create users, which we will use for our next recipes.

Getting ready

To perform this recipe, you need to know how to access the DynamoDB console.

How to do it…

Let's create users using AW SIAM:

  1. Log on to the AWS Console by providing the valid credentials at: https://console.aws.amazon.com.

  2. Navigate to the AWS IAM service from the console dashboard. You will see the following screen:

  3. Click on the Users link from the left-hand side navigation pane. You will be directed to the Users page, where you can see the Create New Users button. Click on this button to create new users.

  4. You will see a screen with some textboxes where you can provide the names of users to be created. Enter the names, and click on the Create button. The screen will also have one checkbox, which should be checked, in order to create the access and secret keys for the newly created users.

  5. The next screen will provide an option for...

Creating a DynamoDB full access group using AWS IAM

Now that we have created the users, it's time to create groups and provide access controls to them.

Getting ready

To perform this recipe, you need to know how to access the DynamoDB console.

How to do it…

Let's create a DynamoDB with full access of group using AWS IAM:

  1. Sign in to the AWS console and navigate to the IAM service.

  2. You will see a Create New Group button, which allows you to create a new group. Click on this button to create one:

  3. On the next screen, you will see a tab where you need to provide a group name, say dynamodb-full-access-group. Click on the Next Step button to continue.

  4. In the following screenshot, we will need to attach a policy to that group; here, we are creating a group that has full access to the DynamoDB resources, so we will select the same policy. We can create a custom policy or use AWS predefined policies. We will discuss how to create a custom policy later in this chapter. For this recipe, we will use the predefined...

Creating a DynamoDB read-only group using AWS IAM

In this recipe, we will create a user group who will have a read-only access to DynamoDB.

Getting ready

To perform this recipe, you need to know how to access the DynamoDB console.

How to do it…

Let's create read-only group using AWS IAM;

  1. Create a user group, as described in the previous recipe, with the name dynamodb-read-only-group and attach the AmazonDynamoDBReadOnlyAccess policy, as shown in the following screenshot:

  2. Once the group is created and the policy is attached to it, you may add users to the group. You can refer to the previous recipe for more details. Here, I am adding dynamodb-user-2 to this group.

How it works…

The read-only policy allows users to only read the items; it does not allow users to modify any items. All write operations such as PutItem, BatchWriteItems, and so on are blocked. The users of this group can only perform the GetItem, BatchGetItem, Query, and Scan operations.

Validating the DynamoDB access controls using the AWS IAM policy simulator

It's always important to validate the security enforcement that we are going to impose on DynamoDB resources. In this recipe, we will see how to test the security features of DynamoDB.

Getting ready

To perform this recipe, you should have performed the earlier recipes.

How to do it…

Let's validate and test the security features of DynamoDB:

  1. Go to the AWS IAM policy simulator. If you are already logged in to the AWS console on the browser, then you will be signed in to the simulator as well. You can refer to https://policysim.aws.amazon.com for more details.

  2. Now, we want to test the access controls for the groups that we created in the earlier recipes. First, we will test the read-only group. For this, select the Groups tab from the drop-down menu, and click on dynamodb-read-only-group, which is to be tested, as shown in the following screenshot:

  3. Next, select the Service button on which we want to test our controls, that...

Creating the custom policy to allow the DynamoDB console access using AWS IAM

In the earlier recipes, we learnt how to use the AWS defined policies to enforce access controls. Now, we will see how to create and apply the custom policy.

Getting ready

To perform this recipe, you should have performed the earlier recipes.

How to do it…

Let's create and apply custom policy:

  1. Log on to the AWS IAM console, as we did in the earlier recipes. Go to the Policies section in the left-hand side navigation pane of your AWS IAM console. Click on the Create Policy button.

  2. Next, you will see the policy creation screen, which will allow you to create a policy in three ways: in the first option, you can copy the managed policy and edit as per your preference; in the second option, you can use a policy generator, which will guide you to create the policy, and the third option will allow you to create your policy by writing the policy from scratch. Here, we will go with the second option, which is recommended to create...

Creating a fine-grained access control policy using AWS IAM

A fine-grained access control allows us to restrict access to the table data as we want it. It allows us to create policies, which allow users to access only their data, limit their access to certain attributes, and so on. In this recipe, we will see how to create a fine-grained policy.

Getting ready

To perform this recipe, you should have performed the earlier recipes.

How to do it…

Here, the policy creation actions will be similar to the earlier recipe. So, we will directly jump to the policy wizard set permissions screen. Here, we will consider the same e-commerce example that we have been considering since the start of this book, where we had a product table. If you want to hide certain attributes, such as purchase price and stock, from the end users, then you can create a policy that will deny access to these items:

  1. Navigate to the create policy user interface, and select the third option, that is, Create Your Own Policy.

  2. You may...

Implementing the client-side encryption for the DynamoDB data

It's been quite a long time since Cloud has been in production, but some people still have concerns about the security it provides. Also, it's always good to have additional levels of security to make sure that the data is safe. In order to do so, in this recipe, we are going to see how to encrypt data before saving it in a DynamoDB table.

Getting ready

To perform this recipe, you should know how to use the AWS SDK for Java, especially its object persistence model. Refer to Chapter 5, Exploring Higher Level Programming Interfaces for DynamoDB, for more details.

How to do it…

To get started with this recipe, we need to create a maven project and add the following dependencies to it:

  1. Add dependencies to the AWS SDK for Java and the aws-dynamodb-encryption-java library:

    <dependency>
<groupId>com.amazonaws</groupId>
  <artifactId>aws-java-sdk</artifactId>
  <version>1.9.34</version>
</dependency...

Implementing the client-side masking for the DynamoDB data

Similar to the requirements from the previous recipe, there might be a need to mask data before saving it in DynamoDB. Masking is replacing real data with realistic data for sensitive information, such as names, dates of birth, Social Security number (SSN), credit/debit card numbers, and so on. Generally, when it comes to the security of testing data, people prefer masking over encryption. In this recipe, we will see how to mask such data before saving it in DynamoDB.

Getting ready

To perform this recipe, you should know how to use the AWS SDK for Java, especially its object persistence model. Refer to Chapter 5, Exploring Higher Level Programming Interfaces for DynamoDB, for more details.

How to do it…

Unlike encryption, AWS does not provide support for data masking, so we need to use custom solutions for masking the data before storing it in DynamoDB.

Consider our e-commerce website where we save our customer's credit card details....

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 18
Next Chapter
You have been reading a chapter from
DynamoDB Cookbook
Published in: Sep 2015Publisher: ISBN-13: 9781784393755
© 2015 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Tanmay Deshpande

Tanmay Deshpande is a Hadoop and big data evangelist. He currently works with Schlumberger as a Big Data Architect in Pune, India. He has interest in a wide range of technologies, such as Hadoop, Hive, Pig, NoSQL databases, Mahout, Sqoop, Java, cloud computing, and so on. He has vast experience in application development in various domains, such as oil and gas, finance, telecom, manufacturing, security, and retail. He enjoys solving machine-learning problems and spends his time reading anything that he can get his hands on. He has great interest in open source technologies and has been promoting them through his talks. Before Schlumberger, he worked with Symantec, Lumiata, and Infosys. Through his innovative thinking and dynamic leadership, he has successfully completed various projects. He regularly blogs on his website http://hadooptutorials.co.in. You can connect with him on LinkedIn at https://www.linkedin.com/in/deshpandetanmay/. He has also authored Mastering DynamoDB, published in August 2014, DynamoDB Cookbook, published in September 2015, Hadoop Real World Solutions Cookbook-Second Edition, published in March 2016, Hadoop: Data Processing and Modelling, published in August, 2016, and Hadoop Blueprints, published in September 2016, all by Packt Publishing.
Read more about Tanmay Deshpande

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages