AWS DynamoDB Tables, EC2 and IAM role access control
For this project I created a DynamoDB table and configured it to be accessible from an EC2 instance with an IAM role. To duplicate the work below, you must have access to an AWS account (free tier is fine).
STEP 1: Create and populate the DynamoDB table (Welcome to the League!)
First, I created the DynamoDB table in the AWS portal from the DynamoDB Dashboard. I decided ahead of time that my table will be themed after NBA teams to exhibit a basic use case.
For simplicity, I chose to leave the data types for both keys as a string for this example. Once these options have been selected I clicked the ‘create table’ button at the bottom of the screen and the table was created successfully.
Next, I accessed my table and created items to populate the table.
For my table, I chose to use NBA basketball teams and their current win totals to populate the table. Since the LA Lakers are my favorite team, they went into the table first. (Please forgive the low win total. I am coping as best I can.) After filling in the two required fields, I clicked ‘create item’.
The resulting screen shows that the item was added to the table.
I repeated this process 9 more times to get a total of 10 teams and their win totals into my table.
STEP 2: Grant EC2 instance Read access with IAM (The perfect setup pass!)
For the next step, I needed to create an EC2 instance to assign my IAM role to. For info on how to do this, follow this link to Amazon’s official documentation on the entire process. For this project, I used Amazon Linux and the t.2micro AMI, enabled SSH connections to the EC2 instance and left the other options as their defaults. (only select free tier options)
Next I went to the IAM Dashboard and navigate to the ‘Roles’ page from the left-panel menu. Once there, I clicked the ‘Create role’ button in the top-left area of the screen.
On the following screen, I had to make sure the make sure the trusted entity type is set to ‘AWS Service’ and the use case is set to ‘EC2’, then click the ‘Next’ button.
On the next screen I needed to assign the correct permission policy to give my EC2 instance Ready Only access to my table. To do so I typed “DynamoDB” in the text field and slected the AmazonDynamoDBReadOnlyAccess Policy name and clicked ‘Next’.
On the follwing page I had to give my role a name and then clicked ‘Create Role’.
Next I had to go back to the EC2 Dashboard and click the check-box next to my new EC2 instance. Then I clicked the ‘Actions >Security> Modify IAM Role’.
On the next screen I selected my newly created role as the IAM role and clicked ‘Update IAM Role’.
The follwing screen shows that the role was successfully attached to the EC2 instance.
STEP 3: Test the access rights of the EC2 instance to DynamoDB table (Can I score?!)
The final stage of my project was to test that my configurations worked. For this, I needed to connect to my EC2 instance and access the CLI to run a couple commands. To do so I selected my EC2 instance and clicked the ‘Connect’ button.
The resulting screen gives detailed instructions on how to connect to the EC2 instance via SSH.
Once connected to my EC2 instance, I first want to verify that my policy restricts writing to the table from the EC2 instance. To do so I typed the below command into the AWS CLI and got the result shown in the image below:
aws dynamodb put-item --table-name Week8 --region us-east-1 --item '{"TeamName": {"S": "Thunder"},"Wins": {"S": "8"}}'
The error result indicates that the role is working correctly and denying requests to write to the table from my EC2 instance.
Finally, I needed to test that I am able to read contents of the table from the EC2 instance. To do so I typed the below command into the AWS CLI and got the following result shown in the image below:
aws dynamodb scan --table-name Week8 --region us-east-1 
The table values are returned to the CLI window and prove that my role permissions allow for Read access from the EC2 instance. With this, the project was complete! NOTHING BUT NET!
