1
00:00:00,600 --> 00:00:10,110
Access to Dynamo D-B is controlled are the ADA because I am cereus our identity and access management

2
00:00:10,110 --> 00:00:21,460
service in I am very heavy users use aggressives rolls and then we apply policies these uses cribs our

3
00:00:21,460 --> 00:00:32,430
roles to control their access to defriended of US resources our services and we agreed that users roles

4
00:00:32,490 --> 00:00:39,260
as well as policies through this course just for the sake of clarity.

5
00:00:39,390 --> 00:00:49,680
A user can be created with an I am and it can either be a real user who can log into the console using

6
00:00:50,010 --> 00:01:01,710
the username and password or it can be a service user also a as an API user which can access AWOS only

7
00:01:01,710 --> 00:01:15,070
through API using the access credentials like the API key and secret access key access using username

8
00:01:15,070 --> 00:01:24,640
and password is generally for real human users who need to log into the aid of us console by API users

9
00:01:24,700 --> 00:01:32,810
are generally used by the applications that interact with AWOS programmatically.

10
00:01:33,130 --> 00:01:42,700
And then we have Rose roles can be assigned access policies just like users but the roles can be as

11
00:01:42,790 --> 00:01:44,560
seen by users.

12
00:01:44,560 --> 00:01:53,530
Applications are either aid or services without actually having to use additional access credentials.

13
00:01:53,800 --> 00:02:01,870
We use drones in several demos in this course for example we use drones for land that function which

14
00:02:01,930 --> 00:02:10,060
allowed a land to interact with Dynamo dynamically cloud watch on our behalf.

15
00:02:10,120 --> 00:02:19,390
And we did not have to create any access keys for land in order to give it the necessary access set

16
00:02:19,690 --> 00:02:29,940
rules allow us to delegate access to the resources without having to use long term access keys.

17
00:02:30,040 --> 00:02:39,860
We have already created an API user named dynamo be training to interact with dynamically programmatically.

18
00:02:39,880 --> 00:02:41,650
Let's open this user in.

19
00:02:41,680 --> 00:02:53,390
I am and we can see that the user currently has full access to cloud search and dynamically and also

20
00:02:53,390 --> 00:02:56,930
has access to S-3.

21
00:02:56,930 --> 00:03:05,210
If we wanted to give this user only real access and no right access read changed change their policy

22
00:03:05,270 --> 00:03:06,520
accordingly.

23
00:03:07,660 --> 00:03:15,690
So let's remove Danimal D-B full access and add dynamically read access

24
00:03:21,150 --> 00:03:23,040
just like that.

25
00:03:23,730 --> 00:03:29,390
And now if we try to run a write operation it should fail.

26
00:03:29,760 --> 00:03:34,980
But real operations should still work.

27
00:03:35,000 --> 00:03:36,890
So let's try that out.

28
00:03:38,620 --> 00:03:48,430
I open the sandbox project inside me as code and I'm going to run read up chess

29
00:03:53,790 --> 00:03:55,590
and it works.

30
00:03:55,590 --> 00:03:58,560
Now let's run right up star.

31
00:04:02,650 --> 00:04:06,190
And we see that we get access denied.

32
00:04:06,300 --> 00:04:11,700
Exception making Forder fine tune this policy set.

33
00:04:11,920 --> 00:04:16,160
I'm going to remove the read only access policy.

34
00:04:18,130 --> 00:04:25,100
And give this user access to just the get item operation.

35
00:04:25,620 --> 00:04:27,670
I have removed the policy.

36
00:04:27,910 --> 00:04:33,750
Then click on Add in line policy lets choose dynamo dynamically

37
00:04:41,800 --> 00:04:43,300
under actions.

38
00:04:43,320 --> 00:04:50,570
Open the read section and select get item for resources.

39
00:04:50,580 --> 00:04:53,250
I'm going to say all resources

40
00:04:56,260 --> 00:04:57,070
now.

41
00:04:57,130 --> 00:05:08,350
Every real the JS and we can see that this policy allows get item access to all resources continue

42
00:05:11,430 --> 00:05:12,770
and name the policies.

43
00:05:12,780 --> 00:05:21,200
A custom dynamo VB policy and create.

44
00:05:21,270 --> 00:05:26,800
Now if we run the get item operation it should work

45
00:05:29,570 --> 00:05:35,720
and it does let's run batch get item operation

46
00:05:45,720 --> 00:05:49,830
and it face as expected.

47
00:05:51,870 --> 00:05:57,080
Let's run get item on another table say Tiede next.

48
00:05:57,120 --> 00:05:57,810
DK

49
00:06:11,870 --> 00:06:13,630
and it works as well.

50
00:06:14,640 --> 00:06:23,770
Now let's limit the user with get item access only to the test table.

51
00:06:24,670 --> 00:06:34,750
So I'm going to copy the table area for the TV you know stable for the over wheel tab in the dynamo

52
00:06:34,750 --> 00:06:39,960
or the console and then let's end it our custom policy

53
00:06:42,770 --> 00:06:45,620
expanded and click on added

54
00:06:50,690 --> 00:07:02,900
under-resourcing select specific and and and that we just copied just like that to review all to see

55
00:07:03,050 --> 00:07:16,800
and say now if we run get item operation on any other table than the notes desk table it should fail.

56
00:07:19,400 --> 00:07:24,240
And a Des's Let's write on the DD node.

57
00:07:24,270 --> 00:07:28,810
Best table.

58
00:07:28,990 --> 00:07:31,100
And it works as expected.

59
00:07:32,050 --> 00:07:37,980
Now we can control access at a fine grained and level set.

60
00:07:38,140 --> 00:07:48,040
We can't even tell us to allow this user or role to access certain items within the table and not only

61
00:07:48,400 --> 00:07:51,200
and not any other items.

62
00:07:51,210 --> 00:08:02,300
Let's end this policy again and this time would specify the request conditions we can enforce MFA device

63
00:08:02,310 --> 00:08:10,280
based access or allow access only from certain white listed IP addresses as well.

64
00:08:11,490 --> 00:08:12,870
The ADD condition

65
00:08:15,520 --> 00:08:29,900
less select condition Dynamo the leading case for all who Alli's in the Asked operator as string equals

66
00:08:30,170 --> 00:08:44,840
and value as a word this SES is allow this user to access items from the table where partition key is

67
00:08:44,960 --> 00:08:47,180
equal to a

68
00:08:54,260 --> 00:08:54,780
say.

69
00:08:54,810 --> 00:09:00,210
If we run our code now it works.

70
00:09:00,220 --> 00:09:12,960
But if a change partition key from a to b for example and it we get access denied exception

71
00:09:20,440 --> 00:09:29,680
we can add different conditions to even control which attributes can be accessed within an item and

72
00:09:30,040 --> 00:09:31,150
so on.

73
00:09:31,390 --> 00:09:40,780
And this is typically full especially when we want application users to be able to access their own

74
00:09:40,780 --> 00:09:50,470
data but they should not be allowed to access the information about other users of the application.

75
00:09:50,470 --> 00:09:59,290
So instead of hard coding the partition key we can't even use substitution variables are expressions

76
00:09:59,290 --> 00:09:59,720
here.

77
00:09:59,740 --> 00:10:10,060
For example we could say dollar curly braces AWOS colon username and this will provide access to the

78
00:10:10,060 --> 00:10:17,950
user only if the partition key value matches that AWOS username

79
00:10:28,750 --> 00:10:32,350
now if we test our code it should fail.

80
00:10:34,350 --> 00:10:37,140
And it does not.

81
00:10:37,230 --> 00:10:39,100
Just to demonstrate this.

82
00:10:39,120 --> 00:10:51,530
I'm going to create a few items with username of this API user as the partition key say inside the dynamo

83
00:10:51,530 --> 00:10:53,420
IDB console.

84
00:10:53,760 --> 00:11:02,730
Let's duplicate an item and change the user id to Dynamo the HIF in training.

85
00:11:02,790 --> 00:11:11,310
This is the username of our API user and let's create one more item with a different sort key.

86
00:11:23,170 --> 00:11:26,750
Now let's run get items for these items.

87
00:11:51,420 --> 00:11:54,030
And it works awesome.

88
00:11:54,840 --> 00:11:59,740
That's all about fine grained access control in Dynamo D-B.

89
00:12:00,510 --> 00:12:11,280
We used the graphical editors and you can also simply based policy and Jason format if you like just

90
00:12:11,370 --> 00:12:16,470
as we did in several demos earlier in this course.

91
00:12:16,480 --> 00:12:26,200
All right before we continue let's remove the fine grained access control policy and get our API user

92
00:12:26,200 --> 00:12:29,660
full access to Dynamo ODBC.

93
00:12:29,770 --> 00:12:40,660
We can complete the rest of the demos with Edes so inside I am I'm going to remove the custom dynamo

94
00:12:40,660 --> 00:12:46,660
D-B policy and add back the full Dynamo the access policy

95
00:12:55,120 --> 00:12:59,700
just like that awesome.

96
00:13:00,100 --> 00:13:10,630
In the next section we are going to build a rest API using node and express to interact with our dynamo

97
00:13:10,630 --> 00:13:20,320
D-MI table and later in the course will use this API to integrate Front-End web application with our

98
00:13:20,320 --> 00:13:25,560
dynamo Leavey back and to create an end to end solution.

99
00:13:26,080 --> 00:13:34,690
We'll also integrate this API with a mobile app that is an I O S and an Android app.

100
00:13:35,930 --> 00:13:37,420
So let's keep going.