DynamoDBquery~30 mins

VPC endpoints for private access in DynamoDB - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

VPC Endpoints for Private Access to DynamoDB

📖 Scenario: You work for a company that wants to securely access its DynamoDB tables from within a Virtual Private Cloud (VPC) without using the public internet. To do this, you will set up VPC endpoints that allow private access to DynamoDB.

🎯 Goal: Build a DynamoDB table and configure a VPC endpoint policy that allows private access to the table from your VPC.

📋 What You'll Learn

Create a DynamoDB table named Employees with a primary key EmployeeID of type string.

Define a VPC endpoint policy that allows dynamodb:Query and dynamodb:GetItem actions on the Employees table.

Configure the VPC endpoint policy JSON with the correct resource ARN for the Employees table.

Ensure the policy restricts access only to the Employees table.

💡 Why This Matters

🌍 Real World

Companies use VPC endpoints to securely connect to AWS services like DynamoDB without exposing traffic to the public internet, improving security and reducing latency.

💼 Career

Cloud engineers and database administrators often configure VPC endpoints and policies to control access to cloud databases in enterprise environments.

Progress0 / 4 steps

Create the DynamoDB table

Create a DynamoDB table named Employees with a primary key called EmployeeID of type string.

DynamoDB

# Create the DynamoDB table Employees with primary key EmployeeID of type string
# Your code here

Need a hint?

Use the AWS CLI create-table command with the correct attribute definitions and key schema.

Define the VPC endpoint policy template

Create a JSON variable called vpc_endpoint_policy that allows dynamodb:Query and dynamodb:GetItem actions on the DynamoDB resource ARN for the Employees table. Use the ARN format arn:aws:dynamodb:region:account-id:table/Employees as a placeholder.

DynamoDB

aws dynamodb create-table \
    --table-name Employees \
    --attribute-definitions AttributeName=EmployeeID,AttributeType=S \
    --key-schema AttributeName=EmployeeID,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

# Define the VPC endpoint policy JSON variable
vpc_endpoint_policy = '''
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:Query", "dynamodb:GetItem"],
      "Resource": "arn:aws:dynamodb:region:account-id:table/Employees"
    }
  ]
}
'''
# Your code here

Need a hint?

Write the JSON policy as a multiline string assigned to vpc_endpoint_policy.

Replace placeholders with actual region and account ID

Update the vpc_endpoint_policy JSON string to replace region with us-east-1 and account-id with 123456789012 in the resource ARN.

DynamoDB

aws dynamodb create-table \
    --table-name Employees \
    --attribute-definitions AttributeName=EmployeeID,AttributeType=S \
    --key-schema AttributeName=EmployeeID,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

# Replace placeholders in vpc_endpoint_policy
vpc_endpoint_policy = '''
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:Query", "dynamodb:GetItem"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Employees"
    }
  ]
}
'''
# Your code here

Need a hint?

Replace the placeholders exactly as shown in the resource ARN string.

Attach the VPC endpoint policy

Use the AWS CLI command to create a VPC endpoint for DynamoDB with the policy document set to the vpc_endpoint_policy JSON string. Use --vpc-id vpc-0abc123def456 and --service-name com.amazonaws.us-east-1.dynamodb in the command.

DynamoDB

aws dynamodb create-table \
    --table-name Employees \
    --attribute-definitions AttributeName=EmployeeID,AttributeType=S \
    --key-schema AttributeName=EmployeeID,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

vpc_endpoint_policy = '''
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:Query", "dynamodb:GetItem"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Employees"
    }
  ]
}
'''

# Create the VPC endpoint with the policy
aws ec2 create-vpc-endpoint \
    --vpc-id vpc-0abc123def456 \
    --service-name com.amazonaws.us-east-1.dynamodb \
    --policy-document "$vpc_endpoint_policy"
# Your code here

Need a hint?

Use the AWS CLI create-vpc-endpoint command with the correct options and policy document variable.