除了鎖 Table 之外,如果今天我們想封鎖特定 Attribute ,避免一些機敏資料不小心外洩,要怎麼做呢?也許可以先在 Condition 加上 ForAnyValue:StringEquals ,限定指定的 Attribute 可以被 Scan 。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListTableForConsole",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"arn:aws:dynamodb:*:262969866776:table/*"
]
},
{
"Sid": "DescribeTableForConsole",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:*:262969866776:table/Articles"
]
},
{
"Sid": "AllowDynamodbQuery",
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:us-east-1:262969866776:table/Articles",
"Condition": {
"ForAnyValue:StringEquals": {
"dynamodb:Attributes": [
"ArticleId",
"ColumnId",
"Content",
"CreatedAt",
"Summary",
"Title",
"Url"
]
}
}
}
]
}
但加了發現沒有用,所有資料一樣被看光光 QQ 。
嘗試加上 "dynamodb:Select": "SPECIFIC_ATTRIBUTES" ,讓 Scan 和 Query 只能查詢特定欄位。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListTableForConsole",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"arn:aws:dynamodb:*:262969866776:table/*"
]
},
{
"Sid": "DescribeTableForConsole",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:*:262969866776:table/Articles"
]
},
{
"Sid": "AllowDynamodbQuery",
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:us-east-1:262969866776:table/Articles",
"Condition": {
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]
}
實際測試,資料會被封印住,就沒有像一開始會看到所有欄位了!
但這樣要怎麼看到資料?使用 Specific attributes 並選擇要搜尋的 attribute , 即可拉出想要看的資料。
但這篇文章的目標不是封鎖特定 Attribute ,假設不想被 User 看到 Author ,這個方法還是可以拿到 Author 的資料,這樣不是自欺欺人?!
其實只要多加一個 Deny 的權限,加上 ForAnyValue:StringEquals 這個條件並指定 attributes,就可以在 Scan 和 Query 的時候限制 User 不能拿到特定 attributes 的資料。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListTableForConsole",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"arn:aws:dynamodb:*:262969866776:table/*"
]
},
{
"Sid": "DescribeTableForConsole",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:*:262969866776:table/Articles"
]
},
{
"Sid": "AllowDynamodbQuery",
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:us-east-1:262969866776:table/Articles",
"Condition": {
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
},
{
"Sid": "DenyIfAttributesNotSpecified",
"Effect": "Deny",
"Action": [
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:us-east-1:262969866776:table/Articles",
"Condition": {
"ForAnyValue:StringEquals": {
"dynamodb:Attributes": [
"Author"
]
}
}
}
]
}
再次搜尋,就可以看到 Author 被封印住了。
測試讀取其他 attributes 的資料,也可以順利看到,這樣就可以達到 Attribute Level 權限設定的效果。
然而這樣的設計有一個不便之處:使用者必須事先知道有哪些 attributes 才能正確查詢,系統無法在使用者請求撈取全部欄位時,智能地只回傳其有權限存取的屬性資料。
換句話說,用戶在查詢時需要精確指定欄位,否則將可能因權限不足而無法取得任何資料,而非自動只顯示允許存取的部分。
iThome鐵人賽
看影片追技術