Security Best Practices¶
In our demo, we attach the AmazonDynamoDBFullAccess
policy to both the Lambda function and the Cognito Identity Pool. In a full deployment of a game, we should restrict this to only allow specific access to resources in AWS. Instead of adding AmazonDynamoDBFullAccess
, follow the steps below to create policies for your Lambda Function and Cognito Identity Pool.
Cognito Identity Pool Policy¶
Navigate to the Policies section in IAM.
Click Create Policy
Click JSON
Copy and paste the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SpecificTable", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/AlexaPlusUnityTest" } ] }
Note
Replace AlexaPlusUnityTest
with the name of your table.
- Click Review Policy
- Give the Policy a name and click Create Policy
Attach this policy to the UnAuth IAM Role instead of the AmazonDynamoDBFullAccess
policy.
Lambda Policy¶
Navigate to the Policies section in IAM.
Click Create Policy
Click JSON
Copy and paste the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SpecificTable", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/AlexaPlusUnityTest" } ] }
Note
Replace AlexaPlusUnityTest
with the name of your table.
- Click Review Policy
- Give the Policy a name and click Create Policy
Attach this policy to thr Alexa Skill’s Lambda IAM Role instead of the AmazonDynamoDBFullAccess
policy.