CloudWiki

Amazon Web Service (AWS)

DynamoDB

Database
Amazon DynamoDB is a fully managed NoSQL database service that supports key–value and document data structures. DynamoDB is known for high performance and scale, and offers built-in security, continuous backups, automated multi-Region replication, in-memory caching and more.
aws_dynamodb_table
DynamoDB
attributes:

Required arguments:

  • attribute - (Required) Set of nested attribute definitions. Only required for hash_key and range_key attributes. See below.
  • hash_key - (Required, Forces new resource) Attribute to use as the hash (partition) key. Must also be defined as an attribute. See below.
  • name - (Required) Unique within a region name of the table.

Optional arguments:

  • billing_mode - (Optional) Controls how you are charged for read and write throughput and how you manage capacity. The valid values are PROVISIONED and PAY_PER_REQUEST. Defaults to PROVISIONED.
  • global_secondary_index - (Optional) Describe a GSI for the table; subject to the normal limits on the number of GSIs, projected attributes, etc. See below.
  • local_secondary_index - (Optional, Forces new resource) Describe an LSI on the table; these can only be allocated at creation so you cannot change this definition after you have created the resource. See below.
  • point_in_time_recovery - (Optional) Enable point-in-time recovery options. See below.
  • range_key - (Optional, Forces new resource) Attribute to use as the range (sort) key. Must also be defined as an attribute, see below.
  • read_capacity - (Optional) Number of read units for this table. If the billing_mode is PROVISIONED, this field is required.
  • replica - (Optional) Configuration block(s) with DynamoDB Global Tables V2 (version 2019.11.21) replication configurations. See below.
  • restore_date_time - (Optional) Time of the point-in-time recovery point to restore.
  • restore_source_name - (Optional) Name of the table to restore. Must match the name of an existing table.
  • restore_to_latest_time - (Optional) If set, restores table to the most recent point-in-time recovery point.
  • server_side_encryption - (Optional) Encryption at rest options. AWS DynamoDB tables are automatically encrypted at rest with an AWS-owned Customer Master Key if this argument isn't specified. See below.
  • stream_enabled - (Optional) Whether Streams are enabled.
  • stream_view_type - (Optional) When an item in the table is modified, StreamViewType determines what information is written to the table's stream. Valid values are KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES.
  • table_class - (Optional) Storage class of the table. Valid values are STANDARD and STANDARD_INFREQUENT_ACCESS.
  • tags - (Optional) A map of tags to populate on the created table. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • ttl - (Optional) Configuration block for TTL. See below.
  • write_capacity - (Optional) Number of write units for this table. If the billing_mode is PROVISIONED, this field is required.

attribute

  • name - (Required) Name of the attribute
  • type - (Required) Attribute type. Valid values are S (string), N (number), B (binary).

global_secondary_index

  • hash_key - (Required) Name of the hash key in the index; must be defined as an attribute in the resource.
  • name - (Required) Name of the index.
  • non_key_attributes - (Optional) Only required with INCLUDE as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table.
  • projection_type - (Required) One of ALL, INCLUDE or KEYS_ONLY where ALL projects every attribute into the index, KEYS_ONLY projects just the hash and range key into the index, and INCLUDE projects only the keys specified in the non_key_attributes parameter.
  • range_key - (Optional) Name of the range key; must be defined
  • read_capacity - (Optional) Number of read units for this index. Must be set if billing_mode is set to PROVISIONED.
  • write_capacity - (Optional) Number of write units for this index. Must be set if billing_mode is set to PROVISIONED.

local_secondary_index

  • name - (Required) Name of the index
  • non_key_attributes - (Optional) Only required with INCLUDE as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table.
  • projection_type - (Required) One of ALL, INCLUDE or KEYS_ONLY where ALL projects every attribute into the index, KEYS_ONLY projects just the hash and range key into the index, and INCLUDE projects only the keys specified in the non_key_attributes parameter.
  • range_key - (Required) Name of the range key.

point_in_time_recovery

  • enabled - (Required) Whether to enable point-in-time recovery. It can take 10 minutes to enable for new tables. If the point_in_time_recovery block is not provided, this defaults to false.

replica

  • kms_key_arn - (Optional) ARN of the CMK that should be used for the AWS KMS encryption.
  • point_in_time_recovery - (Optional) Whether to enable Point In Time Recovery for the replica. Default is false.
  • propagate_tags - (Optional) Whether to propagate the global table's tags to a replica. Default is false. Changes to tags only move in one direction: from global (source) to replica. In other words, tag drift on a replica will not trigger an update. Tag or replica changes on the global table, whether from drift or configuration changes, are propagated to replicas. Changing from true to false on a subsequent apply means replica tags are left as they were, unmanaged, not deleted.
  • region_name - (Required) Region name of the replica.

server_side_encryption

  • enabled - (Required) Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK). If enabled is false then server-side encryption is set to AWS owned CMK (shown as DEFAULT in the AWS console). If enabled is true and no kms_key_arn is specified then server-side encryption is set to AWS managed CMK (shown as KMS in the AWS console). The AWS KMS documentation explains the difference between AWS owned and AWS managed CMKs.
  • kms_key_arn - (Optional) ARN of the CMK that should be used for the AWS KMS encryption. This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb.

ttl

  • enabled - (Required) Whether TTL is enabled.
  • attribute_name - (Required) Name of the table attribute to store the TTL timestamp in.

Associating resources with a
DynamoDB
Resources do not "belong" to a
DynamoDB
Rather, one or more Security Groups are associated to a resource.
Create
DynamoDB
via Terraform:
The following HCL creates a dynamodb table description models the table and GSI shown in the AWS SDK example documentation
Syntax:

resource "aws_dynamodb_table" "basic-dynamodb-table" {
 name           = "GameScores"
 billing_mode   = "PROVISIONED"
 read_capacity  = 20
 write_capacity = 20
 hash_key       = "UserId"
 range_key      = "GameTitle"

 attribute {
   name = "UserId"
   type = "S"
 }

 attribute {
   name = "GameTitle"
   type = "S"
 }

 attribute {
   name = "TopScore"
   type = "N"
 }

 ttl {
   attribute_name = "TimeToExist"
   enabled        = false
 }

 global_secondary_index {
   name               = "GameTitleIndex"
   hash_key           = "GameTitle"
   range_key          = "TopScore"
   write_capacity     = 10
   read_capacity      = 10
   projection_type    = "INCLUDE"
   non_key_attributes = ["UserId"]
 }

 tags = {
   Name        = "dynamodb-table-1"
   Environment = "production"
 }
}

Create
DynamoDB
via CLI:
Parametres:

create-table
--attribute-definitions <value>
--table-name <value>
--key-schema <value>
[--local-secondary-indexes <value>]
[--global-secondary-indexes <value>]
[--billing-mode <value>]
[--provisioned-throughput <value>]
[--stream-specification <value>]
[--sse-specification <value>]
[--tags <value>]
[--table-class <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws dynamodb create-table \
   --table-name MusicCollection \
   --attribute-definitions AttributeName=Artist,AttributeType=S AttributeName=SongTitle,AttributeType=S \
   --key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \
   --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
   --tags Key=Owner,Value=blueTeam

Best Practices for
DynamoDB

Categorized by Availability, Security & Compliance and Cost

Warning
Connections towards DynamoDB should be via VPC endpoints
No items found.
Warning
Connections towards DynamoDB should be via vpc-endpoint
No items found.
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Warning
Ensure DynamoDB tables have point in time recovery enabled
Info
Resource has access to DynamoDB database
No items found.
Critical
Resource with over permissive DynamoDB GetItem permissions
No items found.
Critical
Resource with over permissive DynamoDB GetItem permissions (via IAM Group inline)
No items found.
Explore all the rules our platform covers
All Resources