RBAC - Enforcing least privilege access

Enforcing least privilege within a single application and database

An application often uses a single Amazon DocumentDB cluster as its datastore but has multiple users that require authorization to perform specific operations. Some users may need to read and write data, whereas other users may only require read access. The principle of least privilege is a foundational security practice. You can use RBAC to apply this principle by limiting user access to only what is required to perform their functions.

This lab will walk through a use case with three users, each with a different role based on the function they must perform.

The users and roles can be summarized as follows.

RBAC Single Tenant Roles

You will create the following users:

  1. appAdmin
  2. appUser
  3. analytics

appAdmin is the application administrator and needs to create indexes, add users, and read and write data in any database. You will assign the following roles to this user:

  • dbAdminAnyDatabase
  • readWriteAnyDatabase
  • clusterAdmin

appUser is the main application user and needs access to read and write to the products database.

The analytics user only needs read access from the products database.

The admin user is the single, privileged user that can perform administrative tasks and create additional users with roles that was created when the Amazon DocumentDB cluster was created. When you connect to an Amazon DocumentDB cluster for the first time, you must authenticate using the admin user name and password. The admin user receives administrative permissions, and is granted the role of root for an Amazon DocumentDB cluster at cluster create time.

Creating Users

You will use AWS Cloud9 in this lab to connect to the Amazon DocumentDB cluster and create the users and roles. Navigate to AWS cloud9 management Console and choose open IDE to launch AWS Cloud9 environment.

You will use the createUser command to create the users for this lab. The example below shows the components of the command.

RBAC Single Tenant Roles

Open AWS Cloud9 environment and enter following command to connect to DocumentDB Shell :

mongo --ssl --host $docdbEndpoint:27017 --sslCAFile rds-combined-ca-bundle.pem --username $docdbUser --password $docdbPass

In DocumentDB shell create appAdmin

db.createUser( { user: "appAdmin", pwd: "abc123",  roles: [{"db":"admin", "role":"dbAdminAnyDatabase" }, {"db":"admin", "role":"readWriteAnyDatabase"}, {"db":"admin", "role":"clusterAdmin"}]})


db.createUser( { user: "appUser", pwd: "abc124",  roles: [ { role: "readWrite", db: "products"}]})


db.createUser( { user: "analytics", pwd: "abc125",  roles: [ { role: "read", db: "products"}]})

The output should look like this: RBAC 03

When creating users, if you omit the db field when specifying the role, Amazon DocumentDB will implicitly attribute the role to the database in which the connection was made. Creating users with roles that are scoped across all databases (for example, readAnyDatabase, etc.) require that you either be in the context of the admin database when creating the user, or you explicitly state the database for the role when creating the user. Above, the appAdmin user was scoped for the admin database giving it full privileges to all databases, and the appUser and analytics users were scoped to the products database.

You can list existing users and roles in the cluster with the show users command. The following code shows the output for this command for the users that were created:

show users

You may exit the Mongo shell admin user and log into the appUser, by issuing the following command:


db.auth("appUser", "abc124")

Issue the use command to switch to a products database.

use products

Run the following command to insert a few documents into the catalog collection.

{ "_id":1, "name":"banana", "inventory": 10},
{ "_id":2, "name":"passion fruit", "inventory": 22},
{ "_id":3, "name":"pink lady apple", "inventory": 78},

RBAC 04 Note the acknowledged insertedIds.

Now, query the catalog collection to find the inventory for a specific fruit.

db.catalog.find({"name": "passion fruit"})


Optional - try use products2 and then retry the insertMany command above and note the authorization error.

Next, log out of the appUser and log in as the analytics user.


db.auth("analytics", "abc125")

Repeat the same commands to use the products database to get the inventory for passionfruit:

use products
db.catalog.find({"name": "passion fruit"})

Let’s try inserting more documents to the catalog collection.

db.catalog.insert({"name": "lemons", "quantity": 99})

RBAC 06 Note that the analytics user can read documents, but gets an Authorization failure when trying to insert documents. This is expected as the analytics user is authorized to perform only reads on the product database.

For a description of the built-in roles, use the getRole command

db.getRole("read", {showPrivileges:true})

The output lists the privileges associated with the role.

The list of built-in roles and associated actions can be found in the documentation.

Congratulations! You have successfully created users using Amazon DocumentDB’s built-in roles and demonstrated the effectiveness limiting a user to a read only role.

You may now move on to the next section of this lab to clean up resources.