Tutorial prerequisites and considerations

Important

End of support notice: Existing customers will be able to use Amazon QLDB until end of support on 07/31/2025. For more details, see Migrate an Amazon QLDB Ledger to Amazon Aurora PostgreSQL.

Before you start this Amazon QLDB tutorial, make sure that you complete the following prerequisites:

1. Follow the AWS setup instructions in Accessing Amazon QLDB, if you haven't already done so. These steps include signing up for AWS and creating an administrative user.

2. Follow the instructions in Setting up permissions to set up IAM permissions for your QLDB resources. To complete all of the steps in this tutorial, you need full administrative access to your ledger resources through the AWS Management Console.

   Note

   If you're already signed in as a user with full AWS administrative permissions, you can skip this step.

3. (Optional) QLDB encrypts data at rest using a key in AWS Key Management Service (AWS KMS). You can choose one of the following types of AWS KMS keys:

   • AWS owned KMS key – Use a KMS key that is owned and managed by AWS on your behalf. This is the default option and requires no additional setup.

   • Customer managed KMS key – Use a symmetric encryption KMS key in your account that you create, own, and manage. QLDB doesn't support asymmetric keys.

     This option requires you to create a KMS key or use an existing key in your account. For instructions on creating a customer managed key, see Creating symmetric encryption KMS keys in the AWS Key Management Service Developer Guide.

     You can specify a customer managed KMS key by using an ID, alias, or Amazon Resource Name (ARN). To learn more, see Key identifiers (KeyId) in the AWS Key Management Service Developer Guide.

     Note

     Cross-Region keys are not supported. The specified KMS key must be in the same AWS Region as your ledger.

Setting up permissions

In this step, you set up full access permissions through the console for all QLDB resources in your AWS account. To grant these permissions quickly, use the AWS managed policy AmazonQLDBConsoleFullAccess.

To provide access, add permissions to your users, groups, or roles:

• Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.

• Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.

• IAM users:

  • Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.

  • (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.

Important

For the purposes of this tutorial, you grant yourself full administrative access to all QLDB resources. For production use cases, however, follow the security best practice of granting least privilege, or granting only the permissions required to perform a task. For examples, see Identity-based policy examples for Amazon QLDB.

To create a ledger named vehicle-registration, proceed to Step 1: Create a new ledger.