You can restrict access to the actions that users can perform on Amazon DocumentDB using role-based access control (RBAC). RBAC works by granting one or more roles to a user. The roles determine the operations that a user can perform on specified databases. Amazon DocumentDB currently supports built-in roles that are scoped at the database level, including read, readWrite, readAnyDatabase, and clusterAdmin.
Common use cases for RBAC include enforcing least privileges by creating users with read-only access to the databases in a cluster, and multi-tenant application designs that enable a single user to access a given database in a cluster.
The following are important terms and concepts related to role-based access control.
User — An individual entity that can authenticate to the database and perform operations.
Password — A secret that is used to authenticate the user.
Role — Authorizes a user to perform actions on one or more databases.
Admin Database — The database in which users are stored and authorized against.
Database (db) — The namespace within clusters that contains collections for storing documents.
In this lab you will enforce least privilege access within a single application.
You will need a Amazon DocumentDB cluster and AWS Cloud9 environment to perform this lab.