Role-Based Access Control

You can restrict access to the actions that users can perform on Amazon DocumentDB using role-based access control (RBAC). RBAC works by granting one or more roles to a user. The roles determine the operations that a user can perform on specified databases. Amazon DocumentDB currently supports built-in roles that are scoped at the database level, including read, readWrite, readAnyDatabase, and clusterAdmin.

Common use cases for RBAC include enforcing least privileges by creating users with read-only access to the databases in a cluster, and multi-tenant application designs that enable a single user to access a given database in a cluster.

RBAC Concepts

The following are important terms and concepts related to role-based access control.

  • User — An individual entity that can authenticate to the database and perform operations.

  • Password — A secret that is used to authenticate the user.

  • Role — Authorizes a user to perform actions on one or more databases.

  • Admin Database — The database in which users are stored and authorized against.

  • Database (db) — The namespace within clusters that contains collections for storing documents.

In this lab you will enforce least privilege access within a single application.

You will need a Amazon DocumentDB cluster and AWS Cloud9 environment to perform this lab.