I am exploring fine-grained access for an API that we are building. APIs are hosted on API Gateway with a lambda handler and the datastore is DynamoDB. I need to apply row-level and attribute-level restrictions on the queries, depending upon the user invoking the API.
DynamoDB supports horizontal (row) and vertical (attribute) restrictions through Policies. This aws doc covers it. Let's say I have the access controls defined in a separate DB and my lambda handler has the access definition for the current user. What I want to do is be able to use some custom attributes to define my condition. e.g.
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${customcontext:customerId}"],
"dynamodb:Attributes": [${customcontext:ListOfVisibleAttributes}]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
Also, can this policy be used to restrict the rows returned based on a dynamic condition? e.g. I want to filter further based on a custom list of values on sort-key.
And lastly, is it worth handling this using a Policy, instead of a Lambda with dynamic query?
You wouldn't be able to dynamically create a policy per request. Its not scalable as you can't create an unbounded number of IAM policies, not to mention the increased latency that would be introduced.