DynamoDB

Overview

This guide outlines the configuration steps for adding DynamoDB as a resource in StrongDM.

When the resource is added, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. StrongDM supports standard DynamoDB clients and SDKs that use the AWS API.

To add a DynamoDB datasource as a resource, you will need the AWS region, service endpoint, and a valid set of credentials (AWS Access Key ID and Secret Access Key). Optionally, you can store these credentials in a supported secrets manager and reference them from within StrongDM. The DynamoDB service endpoint must be reachable from the selected StrongDM node and configured to accept connections from that node’s network.

Use this guide to complete all necessary preparations to add this resource to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection.

If you prefer to use an EC2-attached IAM role instead, see the DynamoDB (IAM) resource type guide.

In most cases, if your StrongDM nodes are deployed on AWS EC2 instances, EC2-attached IAM roles are recommended for the security benefits. If your nodes will be hosted outside of AWS, or you do not wish to use EC2-attached IAM roles, the use of Secret Access Keys to add DynamoDB to StrongDM is described in this guide.

Supported Versions and Clients

StrongDM supports AWS DynamoDB and is compatible with all standard DynamoDB clients, including:

AWS SDKs and CLI (for example, for Python, Node.js, Java, or Go)
GUI tools like NoSQL Workbench and Dynobase
Third-party applications interfacing through the DynamoDB API

Prerequisites

To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met.

In StrongDM, you must have the following:

Administrator permission level
At least one operational StrongDM node (gateway, relay, or proxy cluster) that can reach AWS DynamoDB endpoints
If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

To verify that the resource is accessible by the node, log in to the gateway or relay and use Netcat: nc -zv <HOSTNAME> <PORT> (in this example, nc -zv testdb-01.fancy.org 3306). If your gateway server can connect to this hostname, proceed.

Netcat is a tool for checking various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The command in the aforementioned example use "-z" to check for listeners without sending data and "-v" to show verbose output. If you don't have Netcat, you can install the Netcat package with whatever package manager you are using, such as "apt-get install netcat".

On the AWS side, you must have the following:

AWS IAM user with Secret Access Key & Secret Key credentials ready for StrongDM
Attached IAM policy granting at least these permissions for health checks and operation:
- dynamodb:ListGlobalTables
- dynamodb:ListTables
- dynamodb:ListStreams
- Additional operations such as Scan, GetItem, PutItem, Query, or DescribeTable depending on client needs
Use wildcard Resource: "*" for the health-check actions to function proper

Resource Setup

In order to connect to and manage the resource, you must attach an AWS access policy to the AWS user that you are using to add the resource in StrongDM. The policy can be created and attached when adding permissions of an IAM user in the AWS Management Console, by selecting the option Attach policies directly. The policy should follow these basic directives:

It is a best practice that this policy contains the minimum required actions necessary for users of this DynamoDB instance to do their work.
For a resource with role assumption, the "dynamodb:ListGlobalTables", "dynamodb:ListTables", and "dynamodb:ListStreams" actions are the minimum required actions to allow StrongDM to successfully complete healthchecks.
The wildcard value for Resource is required for the "dynamodb:ListGlobalTables", "dynamodb:ListTables", and "dynamodb:ListStreams" actions to function properly because they are not scoped to a specific resource.

The following is an example of a policy that follows such best practices.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:ListStreams",
                "dynamodb:Scan",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:DescribeTable"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

It is a security best practice to create one policy to grant the healthcheck actions that require global Resource scoping, create a separate policy with the actions users need to conduct with resource-specific scoping, and then attach both policies.

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

Set up and Manage With the Admin UI

If using the Admin UI to add a DynamoDB database as a StrongDM resource, use the following steps.

Log in to the StrongDM Admin UI.
Go to Resources > Datasources.
Click Add datasource.
Select DynamoDB as the Datasource Type and set other configuration properties for your new database resource.
Complete all required fields.
Click Create to save the resource.
Click the resource name to view status, diagnostic information, and setting details.

Set up and Manage With the CLI

This section provides an example of how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the CLI Reference documentation.

# Add DynamoDB datasource
sdm admin datasources add dynamodb ddb-prod
  --endpoint="dynamodb.us-west-2.amazonaws.com"
  --region="us-west-2"
  --access-key="AKIAEXAMPLE"
  --secret-key="SECRETEXAMPLE"
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="ddb-prod"
  --tags="env=production,team=storage"

Set up and Manage With Terraform

This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the Terraform provider documentation.

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create DynamoDB resource
resource "sdm_dynamodb" "ddb_prod" {
  name             = "ddb-prod"
  endpoint         = "dynamodb.us-west-2.amazonaws.com"
  region           = "us-west-2"

  access_key       = "AKIAEXAMPLE"
  secret_key       = "SECRETEXAMPLE"

  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  proxy_cluster_id = "n-1a2b345c67890123"

  secret_store_id  = "se-e1b2"
  subdomain        = "ddb-prod"
  tags = {
    env  = "production"
    team = "storage"
  }
}

Configuration Properties

The following configuration properties are required to define a DynamoDB datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Property

Requirement

Description

Display Name

Required

Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)

Datasource Type

Required

Select DynamoDB

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Endpoint

Required

API server endpoint of the resource in the format dynamodb.<REGION>.amazonaws.com, such as dynamodb.us-west-2.amazonaws.com; relay server should be able to connect to your resource

Connectivity Mode

Required

Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

Region

Required

Region of the resource, such as us-west-2

Secret Store

Optional

Credential store location; defaults to Strong Vault; to learn more, see Secret Store options

Access Key ID

Required

Access key ID, such as AKIAIOSFODNN7EXAMPLE, from the AWS key pair that you created in Step 1

Access Key ID (path)

Required

If Secret Store integration is configured for your organization and you selected a Secret Store type that is not StrongDM, enter the path to the secret in your Secret Store (for example, path/to/credential?key=optionalKeyName). The key argument is optional.

Secret Access Key

Required

Secret access key, such as wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, from the AWS key pair that you created in Step 1

Secret Access Key (path)

Required

Assume Role ARN

Optional

Role ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole functionality

Assume Role ARN (path)

Optional

Assume Role External ID

Optional

External ID if leveraging an external ID to users assuming a role from another account; if used, it must be used in conjunction with Assume Role ARN; see the AWS documentation on using external IDs for more information

Assume Role External ID (path)

Optional

Resource Tags

Optional

Resource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

You can test your connectivity and that your IAM role is functioning correctly by running some test commands at the AWS console, similar to the examples shown, which contain the following placeholders:

<REGION>: AWS region of DynamoDB database (for example, us-west-2)
<ENDPOINT>: Local endpoint as supplied by StrongDM (for example, http://localhost:10008)
<TABLE>: Name of the DynamoDB table to run command on (for example, prod-example-dynamodb)

List Tables in DynamoDB

aws --region <REGION> dynamodb \
list-tables \
--endpoint-url <ENDPOINT> \
--no-sign-request

Describe Table

aws --region <REGION> dynamodb \
describe-table --table-name <TABLE> \
--endpoint-url <ENDPOINT> \
--no-sign-request

Scan Table

aws --region <REGION> dynamodb \
scan \
--table-name <TABLE> \
--endpoint-url <ENDPOINT> \
--no-sign-request history

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

Resource name or ID
CLI error output or logs
Node name and region
Timestamps of failed attempts

Last updated 1 month ago

Was this helpful?

Overview

Supported Versions and Clients

Prerequisites

Resource Setup

Resource Management in StrongDM

Set up and Manage With the Admin UI

Set up and Manage With the CLI

Set up and Manage With Terraform

Set up and manage with SDKs

Configuration Properties

Secret Store options

Resource status

Test the Connection

Help