DynamoDBでバックアップよりリストアしたい際に必要なポリシー

Posted Jun 14, 2019

By rengotaku

1 min read

  
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem", "dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:ListBackups", "dynamodb:RestoreTableFromBackup", "dynamodb:CreateBackup", "dynamodb:DeleteTable", "dynamodb:DescribeBackup", "dynamodb:DeleteBackup" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteTable" ], "Resource": "arn:aws:dynamodb:ap-northeast-1:xxxxxx:table/Production*" } ] } 

create_table する際に、 Scan~BatchWriteItem が必要

Denyで本番のDBは削除対象としない

ポリシーの評価論理 - AWS Identity and Access Management

tips

Restore権限を特定のテーブルに限定したい

復元先のテーブル名ではなく、復元元（バックアップ元）のテーブルのResourceを許可する必要がある。

復元元：Production、復元先：Developmentの場合

{
    "Effect": "Allow",
    "Action": [
        "dynamodb:RestoreTableFromBackup"
    ],
    "Resource": "arn:aws:dynamodb:ap-northeast-1:xxxxxx:table/Production*"
}

"Resource": "arn:aws:dynamodb:ap-northeast-1:xxxxxx:table/Development*"

infrastructure

aws dynamodb

This post is licensed under CC BY 4.0 by the author.

tips

Restore権限を特定のテーブルに限定したい

Trending Tags