How do I set up an encrypted DynamoDB table with access policy?
This guide teaches you how to set up an encrypted DynamoDB table and attach an IAM policy to provide access.
Resources
- aws_dynamodb_table - Define and create the DynamoDB table.
- aws_kms_key - Create a KMS key for encryption.
- aws_iam_policy - Define an IAM policy that permits access to the DynamoDB table.
Steps Overview
- Create a KMS Key: This key will be used to encrypt the DynamoDB table.
- Create the DynamoDB Table: A table with encryption enabled using the KMS key created.
- Define IAM Policy: An IAM policy that grants the required permissions to access the DynamoDB table.
Code Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a KMS key for encryption
const dynamodbKey = new aws.kms.Key("dynamodb_key", {description: "KMS key for DynamoDB encryption"});
// Create an encrypted DynamoDB table
const myTable = new aws.dynamodb.Table("my_table", {
name: "my-dynamodb-table",
billingMode: "PAY_PER_REQUEST",
hashKey: "id",
attributes: [{
name: "id",
type: "S",
}],
serverSideEncryption: {
enabled: true,
kmsKeyArn: dynamodbKey.arn,
},
});
// Define an IAM policy to access the DynamoDB table
const dynamodbAccessPolicy = new aws.iam.Policy("dynamodb_access_policy", {
name: "DynamoDBAccessPolicy",
description: "IAM policy for accessing DynamoDB table",
policy: pulumi.jsonStringify({
Version: "2012-10-17",
Statement: [{
Action: [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
],
Effect: "Allow",
Resource: myTable.arn,
}],
}),
});
export const dynamodbTableName = myTable.name;
export const dynamodbKmsKeyArn = dynamodbKey.arn;
export const dynamodbIamPolicyArn = dynamodbAccessPolicy.arn;
Key Points
- Encryption with KMS: Protects the data stored in DynamoDB.
- IAM Policy: Defines access permissions for the DynamoDB table.
- Cloud Provider: This setup uses AWS.
Summary
This setup creates a secure DynamoDB table with an encryption key managed by AWS KMS and attaches a policy that allows access to this table. This ensures data is encrypted at rest and secure access is controlled using IAM policies.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.