akello icon indicating copy to clipboard operation
akello copied to clipboard
verified publisher icon akello-io

Implement fine grained access control on DynamoDB

Open vselvarajijay opened this issue 1 year ago • 3 comments

As part of the Registry State Machine we need to invoke rules to apply policy rules on DynamoDB. An Adapter/Port specific to this will be needed so if we need to swap out to another store we can build interfaces for it.

Reference article: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys

vselvarajijay avatar Apr 24 '24 15:04 vselvarajijay

Here is a sample policy we can set for a user. It provides access to GetItem on table: akello to the specific resources based on its partition key.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::**account**:user/**username**"
			},
			"Action": [
				"dynamodb:GetItem"
			],
			"Resource": [
				"arn:aws:dynamodb:us-east-1:****:table/akello"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"dynamodb:LeadingKeys": [
						"organization-id:<org-id>",
						"user-id:<user-id>",
						"measurement-id:<measurement-id>",
						"registry-id:<registry_id>"
					]
				}
			}
		}
	]
}

vselvarajijay avatar Apr 24 '24 16:04 vselvarajijay

Need to keep this on top priority and have reviewed with the architecture committee

vselvarajijay avatar Apr 29 '24 14:04 vselvarajijay

I am not 100% if we want to manage this ourselves or leverage SMART on FHIR to handle this for us

vselvarajijay avatar May 01 '24 05:05 vselvarajijay