将 IAM 与 DynamoDB 事务结合使用
您可以使用 Amazon Identity and Access Management (IAM) 限制事务操作可以在 Amazon DynamoDB 中执行的操作。有关在 DynamoDB 中使用 IAM policy 的更多信息,请参阅。将基于身份的策略(IAM policy)与 Amazon DynamoDB 结合使用
Put、Update、Delete 和 Get 操作的权限由用于基础 PutItem、UpdateItem、DeleteItem 和 GetItem 操作的权限管控。对于 ConditionCheck 操作,您可以在 IAM policy 中使用 dynamodb:ConditionCheck 权限。
以下是可用于配置 DynamoDB 事务的 IAM policy 的示例。
示例 1:允许事务操作
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ConditionCheckItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem" ], "Resource": [ "arn:aws:dynamodb:*:*:table/table04" ] } ] }
示例 2:仅允许事务操作
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ConditionCheckItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem" ], "Resource": [ "arn:aws:dynamodb:*:*:table/table04" ], "Condition": { "ForAnyValue:StringEquals": { "dynamodb:EnclosingOperation": [ "TransactWriteItems", "TransactGetItems" ] } } } ] }
示例 3:允许非事务读取和写入,并阻止事务读取和写入
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:ConditionCheckItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem" ], "Resource": [ "arn:aws:dynamodb:*:*:table/table04" ], "Condition": { "ForAnyValue:StringEquals": { "dynamodb:EnclosingOperation": [ "TransactWriteItems", "TransactGetItems" ] } } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:*:*:table/table04" ] } ] }
示例 4:阻止在 ConditionCheck 失败时返回信息
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ConditionCheckItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:*:*:table/table01", "Condition": { "StringEqualsIfExists": { "dynamodb:ReturnValues": "NONE" } } } ] }