Tutorial prerequisites and considerations - Amazon Quantum Ledger Database (Amazon QLDB)

Tutorial prerequisites and considerations

Before you start this Amazon QLDB tutorial, make sure that you complete the following prerequisites:

  1. Follow the AWS setup instructions in Accessing Amazon QLDB, if you haven't already done so. These steps include signing up for AWS and creating an administrative user.

  2. Follow the instructions in Setting up permissions to set up IAM permissions for your QLDB resources. To complete all of the steps in this tutorial, you need full administrative access to your ledger resources through the AWS Management Console.


    If you're already signed in as a user with full AWS administrative permissions, you can skip this step.

  3. (Optional) QLDB encrypts data at rest using a key in AWS Key Management Service (AWS KMS). You can choose one of the following types of AWS KMS keys:

    • AWS owned KMS key – Use a KMS key that is owned and managed by AWS on your behalf. This is the default option and requires no additional setup.

    • Customer managed KMS key – Use a symmetric encryption KMS key in your account that you create, own, and manage. QLDB doesn't support asymmetric keys.

      This option requires you to create a KMS key or use an existing key in your account. For instructions on creating a customer managed key, see Creating symmetric encryption KMS keys in the AWS Key Management Service Developer Guide.

      You can specify a customer managed KMS key by using an ID, alias, or Amazon Resource Name (ARN). To learn more, see Key identifiers (KeyId) in the AWS Key Management Service Developer Guide.


      Cross-Region keys are not supported. The specified KMS key must be in the same AWS Region as your ledger.

Setting up permissions

In this step, you set up full access permissions through the console for all QLDB resources in your AWS account. To grant these permissions quickly, use the AWS managed policy AmazonQLDBConsoleFullAccess.

To provide access, add permissions to your users, groups, or roles:


For the purposes of this tutorial, you grant yourself full administrative access to all QLDB resources. For production use cases, however, follow the security best practice of granting least privilege, or granting only the permissions required to perform a task. For examples, see Identity-based policy examples for Amazon QLDB.

To create a ledger named vehicle-registration, proceed to Step 1: Create a new ledger.