newbie stuck after reading docs, forums and try-error for 3 days... :-(
I created a table
$CREATE_TABLE RefData $USE_LOCALDB $BILLING_MODE \
--attribute-definitions \
AttributeName=DomainOwner,AttributeType=S \
AttributeName=SyncID,AttributeType=N \
--key-schema \
AttributeName=DomainOwner,KeyType=HASH \
AttributeName=SyncID,KeyType=RANGE
and I want to use the condition (DomainOwner == UserID) to restrict every user to see his own data only
then I create a Group and attach the following Policy to it
{ "Version": "2012-10-17",
"Statement": [ {
"Sid": "DynamoAccessToRefData",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:eu-central-1:322185599562:table/*",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${www.amazon.com:user_id}"
]
} } } ] }
I create 2 users (user1 and user2) and add them both to the group.
user1 puts items into the table and I check using CLI
aws --profile=user1 dynamodb scan --table-name RefData
OK, here is the data
now user2 should NOT see the data - right?
aws --profile=user2 dynamodb scan --table-name RefData
=> the same data get displayed as with the scan for user1
WHY???
I checked the access keys in profiles ~/.aws/config
I checked if other policies apply (nope)
I must make the same mistake over and over again
but I don't see it - any hint appreciated
EDIT:
I tried attach/detach policy to group, I tried add/remove user to group, I tried add/remove Action.
everything worked fine as expected. What amazes me is the Condition. I Tried
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "certainlyNOT"
}
}
and the users can STILL scan and see the data which does not at all contain this text in the primary key
Edited by: peterzzz on Mar 31, 2020 1:42 AM
