Creating a DynamoDB Table with Limited EC2 Instance Access
A Foundational Dive Utilizing AWS Service, DynamoDB & Securing with IAM
A little bit about AWS DynamoDB: DynamoDB is a fully managed NoSQL database service. NoSQL database is most commonly accepted as standing for “Not Only SQL.” Meaning our DynamoDB database will be non-relational, highly available, scalable, and optimized for high performance. Instead of the relational model, NoSQL databases (like DynamoDB) use alternate models for data management, such as key-value pairs or document storage. To me the best part of utilizing this Amazon Service is that DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database. No need to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. DynamoDB even offers encryption at rest, which eliminates the operational burden and complexity involved in protecting sensitive data. There’s a lot of pros to this service. You can read more in-depth on the Amazon Whitepage: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html
This will probably be our last easy project together. As I mentioned in a previous article as we grow our knowledge it’s best to keep testing it. I am up for the challenge, are you?
Foundation Tasks:
1️⃣Create a DynamoDB table for latest Movie releases
2️⃣Add 10 latest movie releases to the table, including the title, genre, release date, and rating.
3️⃣Create a t.2micro Ec2 instance
4️⃣Using an IAM role and the principle of least privilege, grant the EC2 instance read access to DynamoDB.
5️⃣Use the AWS CLI in the EC2 instance to scan the DynamoDB table
6️⃣Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table
To follow along with this project you will need:
- AWS User Account with privileges. Note: once again we will be utilizing free tier throughout the entirety of the project.
- PowerShell/Terminal
- Time & Patience
To begin, we you will need to be logged into your AWS Console to start Task #1: Create a DynamoDB table for latest Movie releases. If this is your first time creating a DynamoDB just search for it.
Choose Create table from the Get started menu on the DynamoDB homepage.
Now, we will be able to set up our Table and start Task 2: Add 10 latest movie releases to the table, including the title, genre, release date, and rating.
- Choose your Table Name: Recent Movies
- Partition key
- Sort key
Scroll down and keep your Table settings at default and we don’t need to assign any Tags.
Select Create table.
Success, our table is now Active and showing in our DynamoDB Tables.
After selecting our Recent_Movies we are now able to see an overview of our table. From here, we can select the Explore table items to add our movie titles. Kind of like entering things in an Excel spreadsheet.
Your next screen should look like this. We want to scroll down till we see Create item.
Our next screen, we will be able to enter data. Here we will see our created Partition Key Name as well as our Sort key. Our Value we will enter the coordinating information for our movie. We can even add a new attribute as well. Our attributes will be the genre, rating and Rotten Tomatoes’ score. (Choose String to add for each one.)
After we have all our data entered it’s time to complete Task 3: Create a t.2micro Ec2 instance. If you haven’t created an EC2 Instance before you can review to one of my previous projects and just follow the basic steps to create. https://medium.com/@mel.foster/launching-an-aws-ec2-instance-creating-a-custom-webpage-75c5ebd3e1c5
Next Up, let’s tackle Task 4: Using an IAM role and the principle of least privilege, grant the EC2 instance read access to DynamoDB. Type IAM in the search bar of the AWS Console and then select IAM.
On the left hand menu under Access management select Roles.
On the right side of the screen you can select Create role.
We are now on the Trusted entity type screen.
- Choose AWS Service
- Under the Use case section we will be choosing the EC2. (This is where we are creating an IAM role for the EC2 instance we created previously.)
- After you have completed these selections click the blue Next button.
Our next screen we will be Add Permissions.
- Type DynamoDB in the search bar.
- It’s best to start with the principle of “least privilege”, to ensure this we will be choosing READ ONLY ACCESS.
- Once selected click Next.
Last part of setting up the Identity & Access Management (IAM) is our review & Create role.
- Name our role
- Review before selecting Create role at the bottom of the screen.
Our next step, will be to associate our new role with our EC2 instance we created. Head back to your EC2 page on your AWS console.
- Select that specific instance & open the EC2
- Select the Actions Tab and drop down to Security and then select Modify IAM role.
From here, choose the little drop down arrow and select our Custom IAM Role, once you have our IAM role selected it’s time to hit the Update IAM Role.
I am really proud of you for learning how to create an IAM Role. It’s time to test it out. We will be using our CLI in PowerShell/Terminal to ssh into our EC2 to complete Task #5: Use the AWS CLI in the EC2 instance to scan the DynamoDB table
I ran into the following error when trying to run the chmod 400 command on my .pem key in PowerShell. Here is the error:
chmod : the term 'chmod' is not recognized as the name of a cmdlet, function, script file, or operable program. check the spelling of the name, or if a path was included, verify that the path is correct and try again.
After some research I found a solution to make sure I had the read permissions. I executed the following commands:
icacls.exe [YOUR PEM KEY] /reset
icacls.exe [YOUR PEM KEY] /grant:r "$($env:username):(r)"
icacls.exe [YOUR PEM KEY] /inheritance:r
After running those commands you can see that I was able to successfully ssh into my EC2 with the my key having read permission and all other permissions removed.
Lets move forward scanning for the DynamoDB table using our EC2 CLI. We will run the following command to achieve this.
aws dynamodb scan --table-name [ENTER YOUR TABLE NAME]
Here are the results:
Finally, we round out the foundation portion of today’s project by completing Task #6 Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table.
I am going to attempt to add the movie “Air” by running the command:
aws dynamodb put-item --table-name RecentMovies --item '{ "MovieName": { "S": "Air" } }'
Success! We were unable to add the movie “Air!” Thank you for working through this project with me. I think we deserve a break to go see a movie, what do you think?