Using DynamoDB as an Append-Only Database
Leveraging IAM policies to achieve an append-only database
Amazon DynamoDB is a managed NoSQL database service provided by AWS. While it offers a wide range of capabilities, one interesting use-case is to configure it as an append-only database. This approach ensures that once data is written, it cannot be modified or deleted, thereby preserving the integrity and history of the data.
In this article, we'll walk you through how to set up DynamoDB as an append-only database using AWS IAM policies and demonstrate its behavior.
Setting Up the IAM Policy
To achieve the append-only behavior, we need to create a specific IAM policy that allows only insert and read operations on DynamoDB, while denying update and delete operations.
Here's how you can set up the policy:
POLICY_ARN=`aws iam create-policy \ --policy-name AppendOnlyDynamoDB \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "DynamoDBIndexAndStreamAccess", "Effect": "Allow", "Action": [ "dynamodb:PartiQLInsert", "dynamodb:PartiQLSelect", "dynamodb:ConditionCheckItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:DescribeTable", "dynamodb:BatchGetItem", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:ListStreams", "dynamodb:ListTables" ], "Resource": "*" } ] }' \ --output text \ --query Policy.Arn`
Creating a User and Attaching the Policy
Once the policy is created, we'll create a new IAM user and attach the policy to it:
USER_NAME=`aws iam create-user --user-name AppendUser --output text --query User.UserName` aws iam attach-user-policy --user-name $USER_NAME --policy-arn $POLICY_ARN
Configuring AWS CLI
Next, we'll configure the AWS CLI to use the credentials of the newly created user:
aws iam create-access-key --user-name $USER_NAME aws configure --profile append-only
Testing the Append-Only Behavior
With everything set up, let's test our append-only configuration:
Inserting Data:
aws dynamodb execute-statement \ --statement "INSERT INTO Music VALUE {'Artist':'Acme Band','SongTitle':'PartiQL Rocks'}" \ --profile append-only
This will insert a new record into the Music table.
Trying to Insert Duplicate Data:
aws dynamodb execute-statement \ --statement "INSERT INTO Music VALUE {'Artist':'Acme Band','SongTitle':'PartiQL Rocks'}" \ --profile append-only
As expected, this will throw a DuplicateItemException since the primary key already exists.
Attempting to Update Data:
aws dynamodb execute-statement \ --statement "UPDATE Music SET AwardsWon=1 \ SET AwardDetail={'Grammys':[2020, 2018]} \ WHERE Artist='Acme Band'" \ --profile append-only
This will result in an AccessDeniedException because our policy doesn't allow update operations.
Trying to Delete Data:
aws dynamodb execute-statement \ --statement "DELETE FROM Music WHERE Artist='Acme Band'" \ --profile append-only
Similarly, this will also result in an AccessDeniedException due to our policy restrictions.
Conclusion
By carefully crafting IAM policies, you can configure Amazon DynamoDB to act as an append-only database. This ensures that data, once written, remains immutable, providing a reliable historical record of all entries. Whether you're looking to maintain data integrity, comply with regulatory requirements, or simply keep an unalterable history of transactions, this approach offers a robust solution.
Relevant content
- asked 2 years ago
- asked 10 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
