How to create a DynamoDB table and grant AWS EC2 Read-Only Access
Hello, Everyone. Welcome to Week 8 in Level Up In Tech. For this week’s project, we have been tasked to create an Amazon DynamoDB and will add ten movies as items to the table. We should be able to scan the data in the DynamoDB table from an Amazon EC2 instance. The EC2 service should only be granted read-only access to DynamoDB and must assume a Role with the required permissions. We will need to verify that we have read-only access and that we cannot perform other operations.
Prerequisites:
- An AWS account with an IAM user with admin privileges and IAM credentials.
- Basic Linux command knowledge.
Objectives:
- Create a DynamoDB table
- Add 10 or more items to the table
- Create a t2.micro EC2 instance
- Using an IAM role and the principle of least privilege, grant the EC2 instance read access to DynamoDB.
- Use the AWS CLI in the EC2 instance to scan the DynamoDB table.
- Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table.
What is DynamoDB?
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. It offers many capabilities like hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. It also offers encryption at rest and on-demand backup capability. Most importantly, it allows you to create database tables that can store and retrieve data and serve any level of request traffic. You can scale up or down your tables’ throughput capacity without downtime or performance degradation.
IAM roles are very useful for EC2 instances for accessing other AWS resources (such as S3, SQS, Lambda and DynamoDB etc).
You don’t have to hardcode IAM credentials in the application code. Instead, you just assign the IAM role to the EC2 instance with the required permissions, and your applications installed in the EC2 instance will use the role to access the AWS resources that you want them to be accessed.
Step 1: Create a DynamoDB Table.
Navigate to AWS Console Home, and Search Amazon DynamoDB. Click “Create Table” to get started.
Next, provide the Table Name, a Simple Primary Key or a Partition Key, a unique identifier that distinguishes the item from all the others in the table, and the Sort Key, a second part of the Primary Key. As the name indicates, it is used for sorting the items in the table.
Follow the steps above, select “default settings, " then click “Create a Table.”
The image below shows that the table was successfully created. We need to select table>Actions>explore items.
Step 2. Add 10 items to the table, enter each line's data, and click Create items.
We will repeat this process until we have all 10 movies in theDynamoDB table.
Congrats! the image above shows we have successfully created our DynamoDB Table. Now we can move to the next step!
Step 3. Create a t.2micro EC2 instance
Navigate to EC2 dashboard > Launch Instance
Next, Enter Project Name: Project6 > Quickstart>Amazon Linux > AMI free tier eligible.
Next, select instance type >t2 micro Free tier eligible > Key Pair (already created) Project-3-key> Select Security group > Allow SSH, HTTPs & HTTP > Launch Instance.
After the successful launch, click View all instances at the bottom right corner.
Step 4: Create an IAM Role and attach a read-only permissions policy for EC2
- Navigate to the IAM console → ‘Roles’ and click ‘Create role.’
- Under ‘Trusted entity type’ → Select ‘AWS service.’
- Under ‘Use case’ → Select EC2, then click ‘Next.
Under ‘Permissions policies’, filter for ‘DynamoDB’, find and select ‘AmazonDynamoDBReadOnlyAccess’, then click ‘Next’.
Give the role the name, ‘DynamoDB_Project6’, then click ‘Create role’.
Click Next to create the role.
The image above shows that The IAM role was successfully created.
We then attach the role to our EC2 instance by clicking on update IAM role to grant our EC2 Instance an IAM authorizing read-only access to our DynamoDB table.
Step 5: SSH into the EC2 instance and verify that we have read access and not write access using the AWS CLI
- Navigate to EC2 → Instances
- SSH into the instance
- Using the AWS CLI from the EC2 instance,
scan
the DynamoDB table using the command below.
cd c:\<where you saved your key pair>
ssh -i <keypairname>.pem ec2-user@<public IP>
Use the Command below to Scan our DynamoDB Table
aws dynamodb scan --table-name <name_of_dynamodb_table> --region us-east-1
aws dynamodb scan --table-name MyTopMovies --region us-east-1
We could read our entire DynamoDB table, and the output is returned in JSON.
Now let’s verify that we cannot perform any write operations to our DynamoDb table using the command below:
aws dynamodb put-item --table-name <table_name> --item \ ‘{“<partition_key>”: {“S”: “<value>”},”<sort_key>”: {“S”: “<value>”}} --region us-east-1
aws dynamodb put-item --table-name MyTopMovies --item '{"Top movies": {"S": "Top Gun"}. "Top Ten Movies": {"S": "A good soldier movie"}}' --region us-east-1
The put-item
command returned an (AccessDeniedException)
verifying that we have read-only permissions
Thanks for taking the time to read my article. I really appreciate your effort. Watch out for more tech blog posts on my medium page. We have completed all the objectives of the project until next time.