1
00:00:00,000 --> 00:00:01,490
‫So one let's talk about,

2
00:00:01,490 --> 00:00:03,610
‫DynamoDB security and some other features.

3
00:00:03,610 --> 00:00:06,400
‫So for security, we have VPC endpoints

4
00:00:06,400 --> 00:00:07,400
‫that are going to be available to

5
00:00:07,400 --> 00:00:09,820
‫access DynamoDB without using the public internet,

6
00:00:09,820 --> 00:00:12,940
‫and only keeping all the traffic within your VPC.

7
00:00:12,940 --> 00:00:15,930
‫Access to DynamoDB is fully controlled by IAM,

8
00:00:15,930 --> 00:00:19,040
‫which makes it a great database choice in AWS.

9
00:00:19,040 --> 00:00:20,180
‫And you have encryption at rest

10
00:00:20,180 --> 00:00:24,160
‫using AWS KMS or in-transit using SSL and TLS.

11
00:00:24,160 --> 00:00:26,620
‫There are backup and restore features available.

12
00:00:26,620 --> 00:00:27,453
‫You have two of them.

13
00:00:27,453 --> 00:00:29,020
‫So you have point-in-time recovery,

14
00:00:29,020 --> 00:00:31,500
‫so PITR, just like RDS

15
00:00:31,500 --> 00:00:33,020
‫and there's no performance impacts,

16
00:00:33,020 --> 00:00:35,920
‫or we can just do a normal backup and restore it.

17
00:00:35,920 --> 00:00:39,400
‫Now there's the concept of global tables and DynamoDB.

18
00:00:39,400 --> 00:00:42,260
‫So the idea is that you have a multi-region, multi-active

19
00:00:42,260 --> 00:00:45,710
‫fully replicated high-performance table in DynamoDB.

20
00:00:45,710 --> 00:00:47,080
‫And how to enable it?

21
00:00:47,080 --> 00:00:50,090
‫Well, you need to first enable DynamoDB streams.

22
00:00:50,090 --> 00:00:52,180
‫So, while DynamoDB is a cloud service,

23
00:00:52,180 --> 00:00:54,680
‫It's possible for you to get a simulation

24
00:00:54,680 --> 00:00:56,280
‫of DynamoDB on your local computer,

25
00:00:56,280 --> 00:00:57,460
‫called DynamoDB local,

26
00:00:57,460 --> 00:00:58,360
‫and the idea is that you have,

27
00:00:58,360 --> 00:01:01,040
‫a local DynamoDB database that you can use

28
00:01:01,040 --> 00:01:03,050
‫to develop and test your applications locally

29
00:01:03,050 --> 00:01:05,070
‫without using the DynamoDB web service,

30
00:01:05,070 --> 00:01:06,970
‫which is really, really handy.

31
00:01:06,970 --> 00:01:10,190
‫And if you wanted to migrate data to and from DynamoDB,

32
00:01:10,190 --> 00:01:12,000
‫the AWS Database Migration Service

33
00:01:12,000 --> 00:01:13,170
‫is a great choice.

34
00:01:13,170 --> 00:01:14,003
‫So for example,

35
00:01:14,003 --> 00:01:15,470
‫from MongoDB to DynamoDB,

36
00:01:15,470 --> 00:01:19,010
‫or Dynamic V2 Oracle, mySQL, S3 and so on.

37
00:01:19,010 --> 00:01:21,520
‫Now another feature you need to understand around DynamoDB

38
00:01:21,520 --> 00:01:23,600
‫is going to be around fine grain access.

39
00:01:23,600 --> 00:01:25,020
‫So for example, if you have clients

40
00:01:25,020 --> 00:01:26,750
‫and applications, web, or mobile,

41
00:01:26,750 --> 00:01:29,460
‫and they need to access directly our DynamoDB table,

42
00:01:29,460 --> 00:01:31,500
‫then we don't want to give them IAM permissions

43
00:01:31,500 --> 00:01:34,260
‫and IAM roles, users directly from AWS,

44
00:01:34,260 --> 00:01:37,340
‫that will be truly inefficient and a security hole.

45
00:01:37,340 --> 00:01:39,570
‫Instead, we're going to use an identity provider.

46
00:01:39,570 --> 00:01:41,680
‫It could be Amazon Cognito User Pools,

47
00:01:41,680 --> 00:01:43,300
‫Google login, Facebook login, open ID connect,

48
00:01:43,300 --> 00:01:45,630
‫or SAML or whatever.

49
00:01:45,630 --> 00:01:48,560
‫And the users will, in the simplified flow,

50
00:01:48,560 --> 00:01:50,810
‫login with these identity providers

51
00:01:50,810 --> 00:01:51,980
‫and they will have the feature to

52
00:01:51,980 --> 00:01:54,060
‫exchange the credentials they just got

53
00:01:54,060 --> 00:01:56,670
‫for temporary AWS credentials.

54
00:01:56,670 --> 00:01:58,140
‫And the idea is that because they're temporary,

55
00:01:58,140 --> 00:01:59,340
‫they're more secure.

56
00:01:59,340 --> 00:02:01,880
‫And with them, they can be associated with an IAM role,

57
00:02:01,880 --> 00:02:03,540
‫but this IAM role must be restricted

58
00:02:03,540 --> 00:02:05,490
‫because now that our clients and applications

59
00:02:05,490 --> 00:02:07,310
‫can access our DynamoDB table,

60
00:02:07,310 --> 00:02:09,170
‫you want them to be able to do operations

61
00:02:09,170 --> 00:02:11,340
‫only on the data that they own.

62
00:02:11,340 --> 00:02:12,600
‫And so how do we do this,

63
00:02:12,600 --> 00:02:14,750
‫this fine grain access control?

64
00:02:14,750 --> 00:02:17,390
‫Well, we have a federated login

65
00:02:17,390 --> 00:02:18,580
‫to get temporary credentials,

66
00:02:18,580 --> 00:02:20,740
‫and then we can create IAM role,

67
00:02:20,740 --> 00:02:22,890
‫and this IAM role will have a condition.

68
00:02:22,890 --> 00:02:26,640
‫And this condition will lead on to what the user can do.

69
00:02:26,640 --> 00:02:28,070
‫So here is a sample policy.

70
00:02:28,070 --> 00:02:30,330
‫So in this policy, the user can do get item,

71
00:02:30,330 --> 00:02:32,680
‫batch get item, query, put item, update item,

72
00:02:32,680 --> 00:02:36,180
‫delete item and batch right item on a specific table.

73
00:02:36,180 --> 00:02:37,660
‫But there's a condition here.

74
00:02:37,660 --> 00:02:38,540
‫And the condition is saying,

75
00:02:38,540 --> 00:02:43,120
‫Hey, only if the leading keys is corresponding to DynamoDB

76
00:02:43,120 --> 00:02:48,120
‫and then the connector identity pseudo variables,

77
00:02:48,380 --> 00:02:51,360
‫which will be replaced at run time by the specific user.

78
00:02:51,360 --> 00:02:53,200
‫And so effectively what we're saying is that

79
00:02:53,200 --> 00:02:56,920
‫with LeadingKey, we only limit row level access for users

80
00:02:56,920 --> 00:02:59,360
‫based on what the primary key value is.

81
00:02:59,360 --> 00:03:01,830
‫And so therefore we make sure that the users can only modify

82
00:03:01,830 --> 00:03:03,830
‫and access their own data.

83
00:03:03,830 --> 00:03:06,850
‫And you can also specify conditions on attributes

84
00:03:06,850 --> 00:03:09,240
‫and this would be to limit the specific attributes

85
00:03:09,240 --> 00:03:11,780
‫a user can see in your DynamoDB table, okay?

86
00:03:11,780 --> 00:03:14,450
‫So to summarize, you have fine-grain access control

87
00:03:14,450 --> 00:03:16,580
‫by using a federated login

88
00:03:16,580 --> 00:03:19,250
‫and by specifying a condition on LeadingKeys,

89
00:03:19,250 --> 00:03:21,100
‫if you want it to limit at the role level

90
00:03:21,100 --> 00:03:23,750
‫or attributes, if you want your limits at the column level,

91
00:03:23,750 --> 00:03:24,890
‫the attribute level.

92
00:03:24,890 --> 00:03:26,200
‫Okay, that's it for this lecture.

93
00:03:26,200 --> 00:03:27,160
‫I hope you liked it.

94
00:03:27,160 --> 00:03:29,110
‫And I will see you in the next lecture.