100-Days-Of-DevOps-Challenge-KodeKloud

Attach IAM Policy for DynamoDB Access Using Terraform

The DevOps team has been tasked with creating a secure DynamoDB table and enforcing fine-grained access control using IAM. This setup will allow secure and restricted access to the table from trusted AWS services only.

As a member of the Nautilus DevOps Team, your task is to perform the following using Terraform:

1. Create a DynamoDB Table: Create a table named devops-table with minimal configuration.

2. Create an IAM Role: Create an IAM role named devops-role that will be allowed to access the table.

3. Create an IAM Policy: Create a policy named devops-readonly-policy that should grant read-only access (GetItem, Scan, Query) to the specific DynamoDB table and attach it to the role.

4. Create the main.tf file (do not create a separate .tf file) to provision the table, role, and policy.

5. Create the variables.tf file with the following variables:

   • KKE_TABLE_NAME: name of the DynamoDB table
   • KKE_ROLE_NAME: name of the IAM role
   • KKE_POLICY_NAME: name of the IAM policy

6. Create the outputs.tf file with the following outputs:

   • kke_dynamodb_table: name of the DynamoDB table
   • kke_iam_role_name: name of the IAM role
   • kke_iam_policy_name: name of the IAM policy

7. Define the actual values for these variables in the terraform.tfvars file.

8. Ensure that the IAM policy allows only read access and restricts it to the specific DynamoDB table created.

Notes:

1. The Terraform working directory is /home/bob/terraform.

2. Right-click under the EXPLORER section in VS Code and select Open in Integrated Terminal to launch the terminal.

3. Before submitting the task, ensure that terraform plan returns No changes. Your infrastructure matches the configuration.

Steps

1. Let’s create the terraform.tfvars with these values:

    KKE_TABLE_NAME = "devops-table"
    KKE_ROLE_NAME = "devops-role"
    KKE_POLICY_NAME = "devops-readonly-policy"
   

2. Let’s create the variables.tf for these variable:

    variable "KKE_TABLE_NAME" {}
    variable "KKE_ROLE_NAME" {}
    variable "KKE_POLICY_NAME" {}
   

3. Now, let’s create the main.tf file and copy-paste contents form this terraform file

4. Now, let’s create the outputs.tf file with these contents:

    output "kke_dynamodb_table" {
        value = aws_dynamodb_table.kk_dynamodb.name
    }
   
    output "kke_iam_role_name" {
        value = aws_iam_role.kk_role.name
    }
   
    output "kke_iam_policy_name" {
        value = aws_iam_policy.kk_policy.name
    }
   

5. Let’s run the terraform action commands:

    terraform init
    terraform plan
    terraform apply -auto-approve
   

Video

• Watch youtube video: https://youtu.be/sTSISjMQBjg

Referrence

• DynamoDB Table
• IAM Role
• IAM Policy
• IAM Role Policy Attachment
• Terraform Outputs
• AWS Policy Generator

Good To Know

DynamoDB IAM Policy Best Practices

• Resource Specificity: Always use specific table ARNs instead of "*" for production security
• Sub-resource Access: Include "${table_arn}/*" to access indexes, streams, and other table sub-resources
• Read-only Actions: Stick to GetItem, BatchGetItem, Query, Scan, DescribeTable for true read-only access
• Avoid Wildcards: dynamodb:List* and dynamodb:Describe* can expose account-wide information

Common IAM Policy Issues

• Policy Attachment: Use aws_iam_role_policy_attachment instead of aws_iam_policy_attachment
• Resource Array: DynamoDB often requires both table ARN and table_arn/* for complete access
• Minimal Permissions: Start with basic actions and add only what’s needed
• Validation Errors: AWS console may reject wildcard actions that work in practice

Terraform Variables Best Practices

• String Values: Always quote string values in terraform.tfvars files
• Variable Declaration: Use variable "name" {} syntax in variables.tf
• Output Values: Reference resource attributes like aws_dynamodb_table.name.name

DynamoDB Table Configuration

• Minimal Setup: Only name, hash_key, billing_mode, and attribute are required
• Pay-per-Request: Use PAY_PER_REQUEST for variable workloads
• Hash Key: Must match an attribute definition
• Attribute Types: S (String), N (Number), B (Binary)

Security Considerations

• Principle of Least Privilege: Grant only necessary permissions
• Table-specific Access: Restrict policies to specific resources
• Trust Policies: Define which services can assume the role
• Regular Audits: Review and update permissions periodically

This site is open source. Improve this page.