First, we need a policy allowing the Lambda function to read records from DynamoDB. We can do so by doing the following:
- Sign into the AWS Management Console at https://console.aws.amazon.com/.
- Choose Security, Identity & Compliance | IAM, or search for IAM under Find services.
- In the IAM navigation pane, choose Policies.
- Choose Create policies.
- Choose the JSON tab.
- Type, or paste, the following JSON policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": [
"arn:aws:dynamodb:<your-region>:<your-aws-
accountid>:table/user-visits"
]
}
]
}
Update <your-region> with your AWS region, such as us-east-1, and update <your-aws-accountid> with your AWS account ID.
If you do not know your AWS account number, you can find it in the Support Center window, available from the top Support | Support Center menu in the AWS Management Console, as shown in the following screenshot:
- Choose Review Policy.
- On the Review Policy page, type dynamo-readonly-user-visits for the name.
- Choose Create Policy.
This IAM policy, called dynamo-readonly-user-visits, will now be available under the Filter policies as Customer managed.
We talked about security being very important, and one way to ensure it is to apply the OWASP security by design principles, such as the principle of least privilege, as talked about earlier. Here, we do that by locking down the table access using a policy. You'll notice that I've restricted it to a specific name, dynamo table. For the policy name, it should be as descriptive and granular as possible to make it easier to maintain. I tend to have one policy per AWS resource where possible. I've used prefix dynamo-readonly so that it is obvious that you will only get the ability to read from one specific table, called user-visits.