Identity-based policy examples for Amazon QLDB
By default, users and roles don't have permission to create or modify QLDB resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see Creating IAM policies in the IAM User Guide.
For details about actions and resource types defined by QLDB, including the format of the ARNs for each of the resource types, see Actions, resources, and condition keys for Amazon QLDB in the Service Authorization Reference.
Contents
Policy best practices
Identity-based policies determine whether someone can create, access, or delete QLDB resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
-
Get started with AWS managed policies and move toward least-privilege permissions – To get started granting permissions to your users and workloads, use the AWS managed policies that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see AWS managed policies or AWS managed policies for job functions in the IAM User Guide.
-
Apply least-privilege permissions – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. For more information about using IAM to apply permissions, see Policies and permissions in IAM in the IAM User Guide.
-
Use conditions in IAM policies to further restrict access – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as AWS CloudFormation. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.
-
Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see IAM Access Analyzer policy validation in the IAM User Guide.
-
Require multi-factor authentication (MFA) – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see Configuring MFA-protected API access in the IAM User Guide.
For more information about best practices in IAM, see Security best practices in IAM in the IAM User Guide.
Using the QLDB console
To access the Amazon QLDB console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the QLDB resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.
To ensure that users and roles have full access to the QLDB console and all of its features, attach the following AWS managed policy to the entities. For more information, see AWS managed policies for Amazon QLDB, and Adding permissions to a user in the IAM User Guide.
AmazonQLDBConsoleFullAccess
Query history permissions
In addition to QLDB permissions, some console features require permissions for
the Database Query Metadata Service (service prefix:
dbqms). This is an internal-only service that manages your recent and
saved queries on the console query editor for QLDB and other AWS services. For a
full list of DBQMS API actions, see Database Query Metadata Service in the
Service Authorization Reference.
To allow query history permissions, you can use the AWS managed policy AmazonQLDBConsoleFullAccess. This policy uses a wildcard
(dbqms:*) to allow all DBQMS actions for all resources.
Or, you can create a custom IAM policy and include the following DBQMS actions. The PartiQL query editor on the QLDB console requires permissions to use these actions for query history features.
dbqms:CreateFavoriteQuery dbqms:CreateQueryHistory dbqms:DeleteFavoriteQueries dbqms:DeleteQueryHistory dbqms:DescribeFavoriteQueries dbqms:DescribeQueryHistory dbqms:UpdateFavoriteQuery
Full access console permissions without query history
To allow full access to the QLDB console without any query
history permissions, you can create a custom IAM policy that excludes all DBQMS actions. For example, the following policy document allows the
same permissions that are granted by the AWS managed policy AmazonQLDBConsoleFullAccess, except actions that
begin with the service prefix dbqms.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "qldb:CreateLedger", "qldb:UpdateLedger", "qldb:UpdateLedgerPermissionsMode", "qldb:DeleteLedger", "qldb:ListLedgers", "qldb:DescribeLedger", "qldb:ExportJournalToS3", "qldb:ListJournalS3Exports", "qldb:ListJournalS3ExportsForLedger", "qldb:DescribeJournalS3Export", "qldb:CancelJournalKinesisStream", "qldb:DescribeJournalKinesisStream", "qldb:ListJournalKinesisStreamsForLedger", "qldb:StreamJournalToKinesis", "qldb:GetBlock", "qldb:GetDigest", "qldb:GetRevision", "qldb:TagResource", "qldb:UntagResource", "qldb:ListTagsForResource", "qldb:SendCommand", "qldb:ExecuteStatement", "qldb:ShowCatalog", "qldb:InsertSampleData", "qldb:PartiQLCreateIndex", "qldb:PartiQLDropIndex", "qldb:PartiQLCreateTable", "qldb:PartiQLDropTable", "qldb:PartiQLUndropTable", "qldb:PartiQLDelete", "qldb:PartiQLInsert", "qldb:PartiQLUpdate", "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kinesis:ListStreams", "kinesis:DescribeStream" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "qldb.amazonaws.com" } } } ] }
Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }
Running data transactions
To interact with the QLDB transactional data API (QLDB
Session) by running PartiQL statements
on a ledger, you must grant permission to the SendCommand API action. The
following JSON document is an example of a policy that grants permission to only the
SendCommand API action on the ledger
myExampleLedger.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" } ] }
If myExampleLedger uses the ALLOW_ALL permissions mode,
this policy grants permissions to run all PartiQL commands on any table in the
ledger.
You can also use an AWS managed policy to grant full access to all QLDB resources. For more information, see AWS managed policies for Amazon QLDB.
Standard permissions for PartiQL actions and table resources
For ledgers in the STANDARD permissions mode, you can refer to the
following IAM policy documents as examples of granting the appropriate PartiQL
permissions. For a list of the required permissions for each PartiQL command, see the
PartiQL permissions reference.
Topics
Full access to all actions
The following JSON policy document grants full access to use
all PartiQL commands on all tables in
myExampleLedger. This policy produces the same effect as using the
ALLOW_ALL permissions mode for the ledger.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLFullPermissions", "Effect": "Allow", "Action": [ "qldb:PartiQLCreateIndex", "qldb:PartiQLDropIndex", "qldb:PartiQLCreateTable", "qldb:PartiQLDropTable", "qldb:PartiQLUndropTable", "qldb:PartiQLDelete", "qldb:PartiQLInsert", "qldb:PartiQLUpdate", "qldb:PartiQLRedact", "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*", "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/information_schema/user_tables" ] } ] }
Full access to all actions based on table tags
The following JSON policy document uses a condition that is based on table
resource tags to grant full access to use all PartiQL
commands on all tables in myExampleLedger.
Permissions are granted only if the table tag environment has the
value development.
Warning
This is an example of using a wildcard character (*) to allow all PartiQL actions, including administrative and read/write operations on all tables in a QLDB ledger. Instead, it's a best practice to explicitly specify each action to be granted, and only what that user, role, or group needs.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLFullPermissionsBasedOnTags", "Effect": "Allow", "Action": [ "qldb:PartiQL*" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*", "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/information_schema/user_tables" ], "Condition": { "StringEquals": { "aws:ResourceTag/environment": "development" } } } ] }
Read/write access
The following JSON policy document grants permissions to select, insert,
update, and delete data on all tables in myExampleLedger. This policy
doesn't grant permissions to redact data or alter the schema—for example,
creating and dropping tables and indexes.
Note
An UPDATE statement requires permissions to both the
qldb:PartiQLUpdate and qldb:PartiQLSelect actions
on the table that is being modified. When you run an UPDATE
statement, it performs a read operation in addition to the update operation.
Requiring both actions ensures that only users who are allowed to read the
contents of a table are granted UPDATE permissions.
Similarly, a DELETE statement requires permissions to both the
qldb:PartiQLDelete and qldb:PartiQLSelect
actions.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLReadWritePermissions", "Effect": "Allow", "Action": [ "qldb:PartiQLDelete", "qldb:PartiQLInsert", "qldb:PartiQLUpdate", "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*", "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/information_schema/user_tables" ] } ] }
Read-only access
The following JSON policy document grants read-only permissions on all tables
in myExampleLedger. To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLReadOnlyPermissions", "Effect": "Allow", "Action": [ "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*", "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/information_schema/user_tables" ] } ] }
Read-only access to a specific table
The following JSON policy document grants read-only permissions on a specific
table in myExampleLedger. In this example, the table ID is
Au1EiThbt8s0z9wM26REZN.
To use this policy, replace us-east-1,
123456789012,
myExampleLedger, and
Au1EiThbt8s0z9wM26REZN in the example with your own
information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLReadOnlyPermissionsOnTable", "Effect": "Allow", "Action": [ "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/Au1EiThbt8s0z9wM26REZN" ] } ] }
Allow access to create tables
The following JSON policy document grants permission to create tables in
myExampleLedger. The qldb:PartiQLCreateTable action
requires permissions to the table resource type. However, the table ID of a new
table isn't known at the time when you run a CREATE TABLE statement.
So, a policy that grants the qldb:PartiQLCreateTable permission must
use a wildcard (*) in the table ARN to specify the resource.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLCreateTablePermission", "Effect": "Allow", "Action": [ "qldb:PartiQLCreateTable" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*" ] } ] }
Allow access to create tables based on request tags
The following JSON policy document uses a condition based on the
aws:RequestTag context key to grant permission to create tables in
myExampleLedger. Permissions are granted only if the request tag
environment has the value development. Tagging tables
on creation requires access to both the qldb:PartiQLCreateTable and
qldb:TagResource actions. To learn how to tag tables on creation,
see Tagging tables.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBSendCommandPermission", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLCreateTablePermission", "Effect": "Allow", "Action": [ "qldb:PartiQLCreateTable", "qldb:TagResource" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*" ], "Condition": { "StringEquals": { "aws:RequestTag/environment": "development" } } } ] }
Exporting a journal to an Amazon S3 bucket
Step 1: QLDB journal export permissions
In the following example, you grant a user in your AWS account permissions
to perform the qldb:ExportJournalToS3 action on a QLDB ledger resource.
You also grant permissions to perform the iam:PassRole action on the IAM
role resource that you want to pass to the QLDB service. This is required for all
journal export requests.
To use this policy, replace us-east-1,
123456789012,
myExampleLedger, and
qldb-s3-export in the example with your own
information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalExportPermission", "Effect": "Allow", "Action": "qldb:ExportJournalToS3", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "IAMPassRolePermission", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/qldb-s3-export", "Condition": { "StringEquals": { "iam:PassedToService": "qldb.amazonaws.com" } } } ] }
Step 2: Amazon S3 bucket permissions
In the following example, you use an IAM role to grant QLDB access to write into
one of your Amazon S3 buckets, DOC-EXAMPLE-BUCKET. This is also required for
all QLDB journal exports.
In addition to granting the s3:PutObject permission, the policy also
grants the s3:PutObjectAcl permission for the ability to set the access
control list (ACL) permissions for an object.
To use this policy, replace DOC-EXAMPLE-BUCKET in the example with your Amazon S3 bucket name.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalExportS3Permissions", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
Then, you attach this permissions policy to an IAM role that QLDB can assume to
access your Amazon S3 bucket. The following JSON document is an example of a trust policy
that allows QLDB to assume the IAM role for any QLDB resource in the account
123456789012 only.
To use this policy, replace us-east-1 and
123456789012 in the example with your own
information.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "qldb.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:qldb:us-east-1:123456789012:*" }, "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }
Streaming a journal to Kinesis Data Streams
Step 1: QLDB journal stream permissions
In the following example, you grant a user in your AWS account permissions
to perform the qldb:StreamJournalToKinesis action on all QLDB stream
subresources in a ledger. You also grant permissions to perform the
iam:PassRole action on the IAM role resource that you want to pass to
the QLDB service. This is required for all journal stream requests.
To use this policy, replace us-east-1,
123456789012,
myExampleLedger, and
qldb-kinesis-stream in the example with your own
information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalStreamPermission", "Effect": "Allow", "Action": "qldb:StreamJournalToKinesis", "Resource": "arn:aws:qldb:us-east-1:123456789012:stream/myExampleLedger/*" }, { "Sid": "IAMPassRolePermission", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/qldb-kinesis-stream", "Condition": { "StringEquals": { "iam:PassedToService": "qldb.amazonaws.com" } } } ] }
Step 2: Kinesis Data Streams permissions
In the following example, you use an IAM role to grant QLDB access to write data
records to your Amazon Kinesis data stream, stream-for-qldb. This
is also required for all QLDB journal streams.
To use this policy, replace us-east-1,
123456789012, and
stream-for-qldb in the example with your own
information.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBStreamKinesisPermissions", "Action": [ "kinesis:PutRecord*", "kinesis:DescribeStream", "kinesis:ListShards" ], "Effect": "Allow", "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/stream-for-qldb" } ] }
Then, you attach this permissions policy to an IAM role that QLDB can assume to
access your Kinesis data stream. The following JSON document is an example of a trust
policy that allows QLDB to assume an IAM role for any QLDB stream in the account
123456789012 for the ledger myExampleLedger
only.
To use this policy, replace us-east-1,
123456789012, and myExampleLedger in the example with your own information.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "qldb.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:qldb:us-east-1:123456789012:stream/myExampleLedger/*" }, "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }
Updating QLDB ledgers based on tags
You can use conditions in your identity-based policy to control access to QLDB
resources based on tags. This example shows how you might create a policy that allows
updating a ledger. However, permission is granted only if the ledger tag
Owner has the value of the user name of that user. This policy also
grants the permissions necessary to complete this action on the console.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListLedgersInConsole", "Effect": "Allow", "Action": "qldb:ListLedgers", "Resource": "*" }, { "Sid": "UpdateLedgerIfOwner", "Effect": "Allow", "Action": "qldb:UpdateLedger", "Resource": "arn:aws:qldb:*:*:ledger/*", "Condition": { "StringEquals": {"aws:ResourceTag/Owner": "${aws:username}"} } } ] }
You can attach this policy to the users in your account. If a user named
richard-roe tries to update a QLDB ledger, the ledger must be
tagged Owner=richard-roe or owner=richard-roe. Otherwise, he
is denied access. The condition tag key Owner matches both
Owner and owner because condition key names are not case
sensitive. For more information, see IAM JSON policy
elements: Condition in the IAM User Guide.
