DynamoDB - Formal Documentation

Requirements

Before deploying using the Formal Connector with DynamoDB, ensure that you have created a DynamoDB Resource on Formal. This is a prerequisite for the deployment process.

Deployment

The Formal Connector can be deployed using the Formal Terraform Provider. This method allows for easy integration into your existing Terraform workflows and infrastructure as code practices.

Networking

To ensure seamless connectivity between your environment and the Formal Resources, certain ports must be accessible. Specifically, for DynamoDB access through the Connector, port 443 must be assigned and allowed through your security groups. A single Connector instance can listen on multiple ports simultaneously for various resources, providing flexibility in your deployment architecture.

Set up your connection details

To connect to your DynamoDB database through the Connector, follow these steps:

Grab Formal username and access token on Formal console and set them as AWS credentials:
- AWS_ACCESS_KEY_ID: Formal Username
- AWS_SECRET_ACCESS_KEY: Formal Access Token

Connecting to DynamoDB

Ensure that you have completed the setup of your connection details and credentials as described above. Then, connect to DynamoDB using your preferred client. Authentication will rely on the credentials obtained from the Formal console. Formal policies, if present, are enforced, and all data activity is logged to the log location configured in your Formal installation.

Code Samples for connecting through the Connector

The following code samples demonstrate how to connect to DynamoDB through the Formal Connector using NodeJS, Python, and Java. These examples showcase the configuration needed to route traffic through the Connector and utilize a custom certificate bundle for secure connections.

NodeJS
Python
Java

NodeJS

import { DynamoDBClient, ListTablesCommand } from '@aws-sdk/client-dynamodb';
import { NodeHttpHandler } from '@aws-sdk/node-http-handler';
import { HttpsProxyAgent } from 'hpagent';
import fs from 'fs';
import util from 'util';

const certificate_bundle = '/path/to_certificate_bundle.pem'
const connector_endpoint = 'example-connector-endpoint.com'
const connector_port = 443
var region = 'us-east-2'

// load the certificate bundle file
const certs = [
    fs.readFileSync(certificate_bundle)
];

// create a proxy agent pointing to the Connector that uses the custom certificate bundle
const agent = new HttpsProxyAgent({
    proxy: util.format('http://%s:%d', connector_endpoint, connector_port),
    ca: certs
});

(async () => {
    const client = new DynamoDBClient({
        region: region,
        requestHandler: new NodeHttpHandler({
            httpAgent: agent,
            httpsAgent: agent
        }),
    });

    const command = new ListTablesCommand({});
    try {
        console.log("Running List Tables command through the Connector")
        const results = await client.send(command);
        console.log(results.TableNames.join("\n"));
    } catch (err) {
        console.error(err);
    }
})();

Python

import boto3
from botocore.config import Config

# reference AWS documentation:
# https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html

def connector_example():
    certificate_bundle = '/path_to_certificate_bundle.pem'
    connector_endpoint = 'example-connector-endpoint.com'
    connector_port = 443 # port selected when binding the dynamodb repo to the Connector
    region = 'us-east-2'

    dynamodb_client = boto3.client('dynamodb',
        aws_access_key_id="YOUR_AWS_ACCESS_KEY_ID",
        aws_secret_access_key="YOUR_AWS_SECRET_ACCESS_KEY",
        region_name=region,
        verify=certificate_bundle,
        config=Config(
            proxies={
                "http": f"http://{connector_endpoint}:{connector_port}",
                "https": f"http://{connector_endpoint}:{connector_port}",
            }),
    )

    print('Running List Tables command through the Connector')
    result = dynamodb_client.list_tables()
    print(result)

if __name__ == "__main__":
    connector_example()

Java

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
import com.amazonaws.services.dynamodbv2.document.DynamoDB;
import com.amazonaws.services.dynamodbv2.document.Table;
import com.amazonaws.services.dynamodbv2.document.TableCollection;
import com.amazonaws.services.dynamodbv2.model.ListTablesResult;


public class ExampleConnectorConn {

    static String  certificate_bundle = "/path_to_certificate_bundle.pem";
    static String  connector_endpoint = "example-connector-endpoint.com";
    static Integer connector_port = 443; // port selected when binding the dynamodb repo to the Connector
    static String  region = "us-east-2";

    public static void main(String[] args) throws Exception {
        BasicAWSCredentials basic = new BasicAWSCredentials("YOUR_AWS_ACCESS_KEY_ID", "YOUR_AWS_SECRET_ACCESS_KEY");
        AWSCredentialsProvider credentials = new AWSStaticCredentialsProvider(basic);

        // Connector configuration
        ClientConfiguration config = new ClientConfiguration();
        config.setProxyHost(connector_endpoint);
        config.setProxyPort(connector_port);
        config.setProxyProtocol(Protocol.HTTP);

        AmazonDynamoDB client = AmazonDynamoDBClientBuilder.
            standard().
            withCredentials(credentials).
            withRegion(region).
            withClientConfiguration(config).build();
        DynamoDB dynamoDB = new DynamoDB(client);


        System.out.println("Running List Tables command through the connector");

        TableCollection<ListTablesResult> result = dynamoDB.listTables();
        for (Table a: result) {
            System.out.println(a.getTableName());
        }
    }
}

Policy Evaluation

Formal supports the following policy evaluation stages for DynamoDB:

Session: Evaluate and enforce policies at connection time
Request: Evaluate and enforce policies before request execution
Response: Evaluate and enforce policies after data retrieval

Applications

Applications leveraging the AWS SDK can be modified to directly communicate with the Connector by following the examples provided. This allows for seamless integration of Formal’s security and compliance features into your existing DynamoDB workflows.

Note on other AWS SDKs

AWS offers SDKs for various programming languages. While this document provides examples for NodeJS, Python, and Java, the principles apply across all SDKs. If you require examples for a language not covered here, please refer to the AWS official documentation or contact Formal support for assistance.

Documentation Index

​Requirements

​Deployment

​Networking

​Set up your connection details

​Connecting to DynamoDB

​Code Samples for connecting through the Connector

​Policy Evaluation

​Applications

​Note on other AWS SDKs