본문 바로가기
AWS Database/AWS DynamoDB

[AWS Certificate]-DynamoDB Streams

Clark Shim 2022. 1. 9. 17:29

DynamoDB Streams

 

  • 24 Hours time-ordered log of all table-write activity
  • React to changes to DynamoDB tables in real time
  • Can be read by AWS Lambda, EC2, ES, Kinesis ...
  • Use cases: Replication, Archival, Notifications, Log processing 
  • DynamoDB Streams are organized into shards
  • Records are not retroactively populated in a stream after enabling it
  • Simply enable streams from DynamoDB console
  • Four supported views:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html 

 

Change Data Capture for DynamoDB Streams - Amazon DynamoDB

If you perform a PutItem or UpdateItem operation that does not change any data in an item, DynamoDB Streams does not write a stream record for that operation.

docs.aws.amazon.com

 

Time to Live (TTL)

 

  • Allows you to tell DynamoDB when to delete an item from the table
  • Simply designate an item attribute as a TTL attribute
  • TTL attribute should contain the expiry timestamp for the item (EPOCH or UNIX timestamp)
  • Items get marked for deletion on expiry
  • Expired items get removed from the table and indexes automatically within about 48 hrs
  • Expired items can show up in the API responses until they get deleted
  • Application should use filter operations to exclude items marked for deletion
  • Deleted items appear in DynamoDB streams (if streams are enabled)

Demo

 

TTL Use Cases

 

  • Data archival to another table (using DynamoDB streams)
  • Separating hot and cold data in time-series data (using DynamoDB streams)

DynamoDB Global Tables

 

  • Automatic, Multi-Master, Active-Active, Cross-region replication
  • Useful for low latency, DR purposes
  • Near real-time replication ( < 1 second replication lag)
  • Eventual consistency for cross-region reads
  • Strong consistency for same region reads
  • "Last Writer Wins" approach for conflict resolution
  • Transactions are ACID-compliant only in the region where write occurs originally
  • To enable global tables for a table, the table must be empty across regions
  • Only one replica per region
  • Must enable DynamoDB Streams with New and Old Images
  • Must have the same table name and primary keys across regions
  • Recommended to use identical settings for table and indexes across regions

 

Why Global Tables

 

 

 

Demo

Fine-Grained access control in DynamoDB

  • Can use IAM to control access to DynamoDB resources
  • DynamoDB does not support tag-based conditions
  • Can use condition keys in you IAM policy for fine-grained access control
    • Can restrict access to certain items / attributes based on user identity (in a table or a secondary index)
    • Example - allow users to access only the items that belong to them, based on certain primary key values

 

Find-Grained Access Control for DynamoDB

 

  • ForAllValues:StringEquals - compares the requested attribute values with those in the table

 

  • dynamodb:LeadingKeys - represents partition key. E.g. access will be allowed only if user's user_id matches the primary key value on the table

 

  • dynamodb:Attributes - to limit access to specific attributes

 

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html 

 

Using IAM Policy Conditions for Fine-Grained Access Control - Amazon DynamoDB

When using policy variables, you must explicitly specify version 2012-10-17 in the policy. The default version of the access policy language, 2008-10-17, does not support policy variables.

docs.aws.amazon.com

DynamoDB Web Identity Federation

  • Also called as DynamoDB federated identities
  • For authentication and authorization of app users
  • No need to create individual IAM users
  • Login with an identity provider (like Google/Facebook/Amazon) and get a web identity token
  • Use Cognito to exchange the web identity token with temporary IAM credentials (STS token)
    • or you can also call STS directly
  • Use the temporary credentials to access DynamoDB (as per the role associated with the credentials
  • Can use fine-grained access control (with condition keys)

 

CloudWatch Contributor Insight

 

  • Contributor Insights shows you the most accessed and throttled items in DynamoDB
  • Also helps you analyze time-series data
  • Supported for dynamoDB and CloudWatch Logs
  • Identify outliers/contributors impacting system and application performance
  • Find the heaviest traffic patterns
  • Analyze the top system processes
  • Displayed on CloudWatch dashboard
  • Integrated with CloudWatch alarms

'AWS Database > AWS DynamoDB' 카테고리의 다른 글

[AWS Certificate]-DynamoDB Encryption  (0) 2022.01.09
[AWS Certificate]-DynamoDB Backup & Restore  (0) 2022.01.09
[AWS Certificate]-DynamoDB Accelerator (DAX)  (0) 2022.01.08
[AWS Certificate]-DynamoDB Storing Larger Item  (0) 2022.01.08
[AWS Certificate]-DynamoDB Best Practice  (0) 2022.01.08

'AWS Database/AWS DynamoDB' Related Articles

티스토리툴바