Objectives: To create a table with data in DynamoDB and using EC2 instance with a read-only access role to scan the table and validate read-only access.
This process can be completed in either the AWS Console or AWS CLI.
For the purpose of this exercise, I have chosen to use the new AWS Console until the final two steps of scanning and validating read-only access. The final two steps will be completed using the AWS CLI.
Steps Overview:
- Create a table in DynamoDB with 10+ items added
- In EC2, create a t2.micro instance
- Create an IAM role to grant EC2 read-only access to DynamoDB
- Use AWS CLI and EC2 to scan the DynamoDB table
- Use AWS CLI and EC2 to validate read-only access
Step 1: Create a table in DynamoDB with 10+ items added
- In the AWS Console, navigate to DynamoDB and select Tables → Create Table.
- Under Table Details, create a name to identify the table, and enter a partition key. Since the partition key represents a value that must be unique for each item in the table, I chose to use pages for my 2022_booksread table.
- Next, click on the table name after it has been created and select Actions →Create item in the dropdown menu.
- List item attributes and type (string, number, etc…) by clicking Add new attribute. Click Create item and repeat this process for each item in the table.
Step 2: Create a t2.micro EC2 instance.
- In the search bar of the console, navigate to EC2 and launch a t2.micro instance. Continue through the following steps:
Step 3: Create an IAM role to grant EC2 read-only access to DynamoDB
- In step 3 of launching the EC2 instance, be sure to select a subnet from an Availability Zone in the region of the instance. The default subnet will prevent a scan from being completed in Instance Connect later on.
- After clicking Create new IAM role, the IAM dashboard will open in a new tab. Click Create role to search and attach read-only access permissions for EC2.
- On the first step of Creating a role, keep the default trusted entity type — which is AWS service, and select EC2 under use case, then click Next.
- On the second step, search for DynamoDB and select the policy that provides read-only access.
- After verifying the correct policy has been applied, name the role and click Create role.
- Return to EC2, refresh the roles and attach the newly created role from the drop-down menu.
- The next two steps — 4. Add storage and 5. Add tags, are optional. Step 6 will allow the user to Select an existing security group or create a new one. For this exercise, I used the security group created by the launch wizard because it allows inbound ssh traffic by default. This will be necessary when connecting to the instance using EC2 Instance Connect later. A prompt will appear when attempting to launch the instance that will ask the user to create a new key pair, select an existing key pair, or proceed without a key pair. I opted to use an existing key pair for this demonstration. Click Launch instances.
Step 4: Use AWS CLI and EC2 to scan the DynamoDB table.
- Once the instance is running, click on the instance id and select Connect.
- On the next screen, keep all defaults and select Connect.
- Once connected to the instance, enter the following command to scan the table created in DynamoDB:
$ aws dynamodb scan --table-name <tablename> --region <your-region>
Step 5: Use AWS CLI and EC2 to validate read-only access
To test the read-only role set for EC2, use the following code to try to write a new item to the table:
$ aws dynamodb put-item --table-name 2022_booksread --item '{"title": {"S": “False Witness”},"author": {"S": “Karin Slaughter”},}' --region <your-region> --return-consumed-capacity TOTALThe error above shows that the IAM role was set up correctly.
This walkthrough shows how IAM roles can be utilized for the principle of least privilege, allowing only enough access to be able to complete a task.
