DynamoDB in Action: A Practical Case Study for the Media Industry
What is DynamoDB?
AWS DynamoDB is a fully managed, NoSQL database service from AWS designed for high performance and scalability. Key features include:
- NoSQL Data Model: Supports flexible data formats as a document and key-value store.
- Automatic Scalability: Adapts to varying traffic loads without manual intervention.
- High Availability: Replicates data across multiple regions for durability and fault tolerance.
- Flexible Capacity Options: Offers provisioned capacity for fixed workloads or on-demand capacity for variable traffic.
- Integration with AWS: Easily integrates with services like AWS Lambda and Amazon Kinesis.
- Event-Driven Capabilities: Utilizes DynamoDB Streams to trigger actions based on data changes.
DynamoDB is ideal for applications requiring reliable, low-latency data access, such as content management, IoT, and real-time analytics.
Overview
In this topic will cover how to setup DynamoDB table with latest movies, create and EC2 instance and create and IAM role to grant the EC2 instance read access to DynamoDB so we can scan the DynamoDB table will start from foundational, advanced, and complex tasks as outlined below.
Get ready for some fun :)
FOUNDATIONAL
- Create a DynamoDB table for latest Movie releases
- Add 10 latest movie releases to the table, including the title, genre, release date, and rating.
- Create a t.2micro Ec2 instance
- Using an IAM role and the principle of least privilege, grant the EC2 instance read access to DynamoDB.
- Use the AWS CLI in the EC2 instance to scan the DynamoDB table
- Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table
NOTE: The AWS CLI on the EC2 should not be using your IAM Access keys (Do Not Run AWS Configure in the EC2). This is how we verify the role is working correctly and not your permissions.
ADVANCED:
After you’ve completed the Foundational project, create all the resources using the CLI.
COMPLEX:
After you’ve completed the ADVANCED, create the DynamDB table, Attach IAM Role, Create EC2 Instance using a CloudFormation template. Write the movies to the DynamoDB table
FOUNDATIONAL:
Step 1: Create a DynamoDB Table for Latest Movie Releases
- Navigate to DynamoDB:
- Search for “DynamoDB” in the AWS services search bar and click on it.
2. Create a Table:
- Click on “Create table”.
- Provide the following details:
- Table name:
MediaCatalog
- Primary key:
- Partition key:
MovieID
(type: String) - Adjust the default provisioned read and write capacity settings if necessary (default is usually sufficient for testing).
- Click “Create”.
Step 2: Add 10 Latest Movie Releases to the Table
- Select the newly created table:
- Click on the
MediaCatalog
table in the DynamoDB dashboard.
2. Go to the “Items” tab:
- Click on the “Items” tab, then click on “Create item”.
3. Add Movie Items:
- For each movie, enter details like this:
- Attributes:
- MovieID: Enter a unique ID (e.g., 1, 2, … 10).
- Title: Enter the title (e.g., “Movie Title 1”).
- Genre: Enter the genre (e.g., “Action”).
- ReleaseDate: Enter the release date (e.g., “2024–01–01”).
- Rating: Enter the rating (e.g., “8.5”).
Click “Save” after adding each item.
Repeat until you have added all 10 movie releases.
Step 3: Create a t2.micro EC2 Instance
- From the AWS Management Console, go to Services > EC2.
- Click Launch Instance.
- Choose an Amazon Machine Image (AMI), such as Amazon Linux 2023 AMI (Free tier eligible).
- Choose an instance type (e.g.,
t2.micro
for free tier). - In the Key Pair section, choose to create a new key pair or use an existing one.
- Under create key pair i have choose my existing Key pair.
- In the Networking Settings select create security group and tick allow SSH and choose Anywhere e.g.,
0.0.0.0/0
for open access or select my Ip or custom for restricted access). - Under Configure storage leave default settings.
- In Summary section review your settings and click Launch.
Step 4: Create an IAM Role and Grant Read Access to DynamoDB
- Navigate to IAM Service:
- Search for “IAM” in the AWS services search bar and click on it.
2. Create a Role:
- Click on “Roles” in the left sidebar, then “Create role”.
- Choose “AWS service” and select “EC2”.
- Click “Next: Permissions”.
3. Attach Policy:
- Use the search bar to find the
AmazonDynamoDBReadOnlyAccess
policy. - Select it and proceed to the next step.
4. Review and Create Role:
- Name your role (e.g.,
DynamoDBReadOnlyRole
) and click “Create role”.
5. Attach the Role to EC2 Instance:
- Go back to the EC2 service.
- Select your running instance, go to “Actions” → “Security” → “Modify IAM Role”.
- Choose the IAM role you just created and click “Update IAM role”.
Step 5: Use the AWS CLI in the EC2 Instance to Scan the DynamoDB Table
- SSH into Your EC2 Instance:
- Use the terminal on your local machine, then run:
ssh -i YourKeyPair.pem ec2-user@YourInstancePublicDNS
2. Install AWS CLI (if not installed):
sudo yum install aws-cli -y
3. Scan the DynamoDB Table:
aws dynamodb scan --table-name MediaCatalog
Step 6: Validate You Cannot Write an Item to the DynamoDB Table
- SSH into Your EC2 Instance:
- If you are not already connected, use the terminal on your local machine to SSH into your EC2 instance:
ssh -i YourKeyPair.pem ec2-user@YourInstancePublicDNS
- Replace
YourKeyPair.pem
with your key pair file andYourInstancePublicDNS
with the public DNS name of your EC2 instance.
2. Attempt to Write an Item to the DynamoDB Table:
- Use the following AWS CLI command to try adding an item to the
MediaCatalog
table. This is intentionally going to be denied due to the policy settings.
aws dynamodb put-item --table-name MediaCatalog --item '{"MovieID": {"S": "Sonic the Hedgehog 3"}, "Genre": {"S": "Animation/Action"}, "ReleaseDate": {"S": "27-12-2024"}, "Rating": {"N": "8.5"}}'
3. Check the Response:
- Since the IAM role attached to your EC2 instance only allows read access (as per the policy attached), you should receive an error message indicating that you do not have the necessary permissions to perform the write action.
- The error message will usually look something like this:
An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::account-id:assumed-role/DynamoDBReadOnlyRole/instance-id is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:region:account-id:table/MediaCatalog
Conclusion
- This step successfully validates the IAM role’s permissions by confirming that the EC2 instance cannot write to the
MediaCatalog
table, thereby ensuring the security measures are effectively in place.
ADVANCED:
Create all the resources using the CLI from Foundational task.
- Create the DynamoDB Table
aws dynamodb create-table \
--table-name MediaCatalog \
--attribute-definitions AttributeName=MovieID,AttributeType=S \
--key-schema AttributeName=MovieID,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=2,WriteCapacityUnits=2
2. Add Items to “MediaCatalog” Table
aws dynamodb batch-write-item --request-items '{
"MediaCatalog": [
{"PutRequest": {"Item": {"MovieID": {"S": "Aquaman and the Lost Kingdom"}, "Genre": {"S": "Action/Adventure"}, "ReleaseDate": {"S": "24-05-2024"}, "Rating": {"N": "7.2"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Deadpool & Wolverine"}, "Genre": {"S": "Action/Comedy"}, "ReleaseDate": {"S": "03-05-2024"}, "Rating": {"N": "8.7"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Furiosa"}, "Genre": {"S": "Action/Adventure"}, "ReleaseDate": {"S": "24-05-2024"}, "Rating": {"N": "8.2"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Guardians of the Galaxy Vol. 3"}, "Genre": {"S": "Action/Comedy"}, "ReleaseDate": {"S": "21-07-2023"}, "Rating": {"N": "8.5"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "The Matrix Resurrections"}, "Genre": {"S": "Action/Sci-fi"}, "ReleaseDate": {"S": "22-12-2021"}, "Rating": {"N": "7.9"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Mission: Impossible – Dead Reckoning Part Two"}, "Genre": {"S": "Action"}, "ReleaseDate": {"S": "28-06-2023"}, "Rating": {"N": "8.9"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "The Marvels"}, "Genre": {"S": "Superhero"}, "ReleaseDate": {"S": "12-04-2024"}, "Rating": {"N": "7.5"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Transformers One"}, "Genre": {"S": "Animation/Action"}, "ReleaseDate": {"S": "11-10-2024"}, "Rating": {"N": "7.7"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Spider-Man: Beyond the Spider-Verse"}, "Genre": {"S": "Animation/Action"}, "ReleaseDate": {"S": "29-03-2024"}, "Rating": {"N": "9.0"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Kraven the Hunter"}, "Genre": {"S": "Action/Thriller"}, "ReleaseDate": {"S": "13-12-2024"}, "Rating": {"N": "9.8"}}}}
]
}'
3. Create an IAM Role with DynamoDB Read-Only Access
- Create a trust policy for EC2:
- Save it to a file, e.g.,
trust-policy.json
, then create the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
4. Command to create the role.
aws iam create-role --role-name EC2DynamoDBReadRole --assume-role-policy-document file://trust-policy.json
5. Create an instance profile and add the role to it
aws iam create-instance-profile --instance-profile-name EC2DynamoDBReadProfile
aws iam add-role-to-instance-profile --instance-profile-name EC2DynamoDBReadProfile --role-name EC2DynamoDBReadRole
6. Launch a t2.micro EC2 Instance with the IAM Role
aws ec2 run-instances --image-id ami-06b21ccaeff8cd686 --count 1 --instance-type t2.micro --key-name mykeypair --security-group-ids sg-088b05c7b57fb7fec --subnet-id subnet-09bb7baf5e99d0c9c --iam-instance-profile Name=EC2DynamoDBReadProfile --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=MediaCatalogInstance}]'
COMPLEX:
- Create the DynamoDB table, Attach IAM Role, Create EC2 Instance using a CloudFormation template.
- Create a file named
media_catalog.yaml
with the following contents, adjusting the placeholders as necessary and deploy the template.
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create a DynamoDB table, IAM role, and an EC2 instance.
Resources:
MediaCatalogTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: MediaCatalog
AttributeDefinitions:
- AttributeName: MovieID
AttributeType: S
KeySchema:
- AttributeName: MovieID
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 2
WriteCapacityUnits: 2
EC2DynamoDBReadRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: DynamoDBReadPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:Scan
Resource: !GetAtt MediaCatalogTable.Arn
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref EC2DynamoDBReadRole
MediaCatalogInstanceSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0 # Ensure this is secure in production, consider restricting to specific IPs
EC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-06b21ccaeff8cd686 # Replace with a valid AMI ID
SecurityGroupIds:
- !Ref MediaCatalogInstanceSG
KeyName: mykeypair # Replace with your key pair name
IamInstanceProfile: !Ref EC2InstanceProfile
Tags:
- Key: Name
Value: MediaCatalogInstance
2. Write the movies to the DynamoDB table using CLI.
- Add Items to “MediaCatalog” Table
aws dynamodb batch-write-item --request-items '{
"MediaCatalog": [
{"PutRequest": {"Item": {"MovieID": {"S": "Aquaman and the Lost Kingdom"}, "Genre": {"S": "Action/Adventure"}, "ReleaseDate": {"S": "24-05-2024"}, "Rating": {"N": "7.2"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Deadpool & Wolverine"}, "Genre": {"S": "Action/Comedy"}, "ReleaseDate": {"S": "03-05-2024"}, "Rating": {"N": "8.7"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Furiosa"}, "Genre": {"S": "Action/Adventure"}, "ReleaseDate": {"S": "24-05-2024"}, "Rating": {"N": "8.2"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Guardians of the Galaxy Vol. 3"}, "Genre": {"S": "Action/Comedy"}, "ReleaseDate": {"S": "21-07-2023"}, "Rating": {"N": "8.5"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "The Matrix Resurrections"}, "Genre": {"S": "Action/Sci-fi"}, "ReleaseDate": {"S": "22-12-2021"}, "Rating": {"N": "7.9"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Mission: Impossible – Dead Reckoning Part Two"}, "Genre": {"S": "Action"}, "ReleaseDate": {"S": "28-06-2023"}, "Rating": {"N": "8.9"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "The Marvels"}, "Genre": {"S": "Superhero"}, "ReleaseDate": {"S": "12-04-2024"}, "Rating": {"N": "7.5"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Transformers One"}, "Genre": {"S": "Animation/Action"}, "ReleaseDate": {"S": "11-10-2024"}, "Rating": {"N": "7.7"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Spider-Man: Beyond the Spider-Verse"}, "Genre": {"S": "Animation/Action"}, "ReleaseDate": {"S": "29-03-2024"}, "Rating": {"N": "9.0"}}}},
{"PutRequest": {"Item": {"MovieID": {"S": "Kraven the Hunter"}, "Genre": {"S": "Action/Thriller"}, "ReleaseDate": {"S": "13-12-2024"}, "Rating": {"N": "9.8"}}}}
]
}'
3. SSH into the instance and perform the scan using the EC2 AWS CLI.
You can see above we were able to successfully scan the table and get all the entries.
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇