Creating Dynamo DB Table, EC2 Instance and using AWS CLI to scan the Dynamo DB Table.

Manminder Singh
4 min readJul 2, 2022


Overview about DynamoDB

  • Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability.
  • It's a non-relational, key-value type of database.
  • Provides very low latency, Data is stored on SSD storage.
  • Multi-AZ redundancy and Cross-Region Replication option.
  • The underlying hardware storing data is spread across 3 geographically distinct data centres.

Overview of the task we intend to do in this article

  1. Create a DynamoDB table for something of your choosing (e.g. movies, food, games)
  2. Add 10 or more items to the table
  3. Create a t.2micro Ec2 instance
  4. Using an IAM role and the principle of least privilege, grant the EC2 instance read access to DynamoDB.
  5. Use the AWS CLI in the EC2 instance to scan the DynamoDB table
  6. Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table

Step 1: Create DynamoDB Table and add items
For this step, I will name the table Xbox_Games and declare Game_Title as the partition key. Go to DynamoDB and click create the table. After I am done creating the table the table will look like this.

Let's add the attributes to our table now. To add select table >>click action>>Explore Items>>Add items to the table and will look like below:

Step 2: Create the EC2 instance in your console
In this step, we will create one ec2 instance, after creating the ec2 instance the console looks like this(we just launched the instance without any additional or specific settings)

Instance launched

You can also add a role(ReadOnlyAccessforDynamoDB) while creating the ec2 instance or create separately and add to the instance.

Step 3: Create the IAM role and attach it to EC2 Instance
Now we will create the role for the EC2 instance that will permit the ReadOnlyAccessforDynamoDB.

  • Go to IAM>>Roles>>Create Role>>Add AmazonDynamoDBReadOnlyAccess as policy and create the role.

After creating the role the console will look like this: -

Now let's attach the policy to the instance: go to the EC2 instance and update the IAM role.

Goto EC2 >> Select the EC2 Instance >> Actions>>security>>modify IAM role. Please have a look at image below

updating the IAM policy on the instance

Now we have successfully added the IAM role to the instance.

Step 4: Scan the DynamoDB table through CLI
Let's connect to our EC2 instance and scan the DynamoDB table. Select the instance and click connect to get SSHed into your instance.

Now we will use the below command to scan the DynamoDB table.

was dynamodb scan --table-name <table-name> --region <region-name>
AWS CLI — DynamoDB scanning in process

Note: Scanning the DynamoDB table means retrieving the data within it.

Step 5: Validate you cannot write an item to the DynamoDB table
Now it's time to check our IAM role to if it allows writing into the DynamoDB table. We will use the below command in order to attempt writing to the DynamoDB table through CLI.

$ aws dynamodb put-item --table-name Xbox_Games --item ‘{“Game_Titles”: {“S”: “GTA5”},}’ --region us-east-1 --return-consumed-capacity TOTAL
Permission denied upon attempting to add data to DynamoDB Table

After running this command you will get an error message. This means the attached IAM role doesn't allow the EC2 instance to add value to the DynamoDB table.

Let's also check the other way round, and update the EC2 IAM policy to DynamoDBFullAcess. We will use the below command to add an item to the table.

aws dynamodb put-item --table-name Xbox_Games --item ‘{“Game_Titles”: {“S”: “GTA5”},”Developers”:{“S”:”RockStar Games”}}’ --region us-east-1 --return-consumed-capacity TOTAL
adding data to the dynamoDB table

The output will look like this :

GTA5 added to the DynamoDB Table

Thanks for reading!! Keep Pushing !!



Manminder Singh

Cloud Ops & Security | DevOps Engineer