Installer Guides

DynamoDB

Connecting DynamoDB to LightBeam

Overview

LightBeam Spectra users can connect various data sources to the LightBeam application and these data sources will be continuously monitored for PII, PHI data.

Example: DynamoDB, Redshift, PostgreSQL, etc.

About DynamoDB

DynamoDB, AWS's managed NoSQL database service, supports both structured and semi-structured data. Users have the flexibility to define tables with or without a predefined schema. Lightbeam now includes support for DynamoDB as a structured data source.

Features

Datasource Registration

  • DynamoDB administrators can create a user with restricted permissions.

  • Utilize the restricted user’s accessKey and secretKey for registration with Lightbeam.

  • During registration, users select desired regions for scanning. Lightbeam will subsequently scan all tables within these specified regions.

Metadata Scanning

We scan the tables present in regions configured in scan conditions. A region is a database on our side. For each table, we treat each document as a row. All first level fields in documents are treated as columns. A first level field which is a map or a list is considered a Blob.

  • LightBeam scans the tables present in regions configured in scan conditions (each region is treated as a separate database).

  • For each table, each document is treated as a row.

  • All first-level fields in the documents are considered columns.

  • First-level fields that are maps or lists are categorized as Blobs.

PII Detection

LightBeam fetches sample data for each table and classifies first-level fields in documents. A field or column may be classified into a single attribute or multi-attribute for nested fields with varied PII types.

Full Blob Scan

  • Lightbeam provides an option for a comprehensive scan of blob columns. This is to ensure detection of all potential attribute types.

  • Users can opt for a full scan of marked blob columns, which Lightbeam conducts periodically (every 15 days) in the background.

  • Due to the resource-intensive nature of full scans, this feature is not enabled by default and is activated upon user configuration.

Onboarding DynamoDB Data Source

  1. Login to your LightBeam Instance.

  2. Click on DATASOURCES on the Top Navigation Bar.

  3. Click on “Add a data source”.

Figure 1. Add Data Source

  1. Search for DynamoDB.

Figure 2. Search DynamoDB

  1. Click on DynamoDB.

Figure 3. Click on DynamoDB.

  1. Configure Basic Details

In the Basic Details section, enter the following information:

  • Instance Name: Provide a unique name for the DynamoDB data source (e.g., DynamoDB Datasource).

  • Primary Owner: Enter the email address of the individual responsible for this data source (e.g., [email protected]).

  • Source of Truth (Optional): Toggle this option on if this database serves as a single source of truth for entity validation.

  • Description (Optional): Add a brief description of the database (e.g., "DynamoDB Datasource Instance").

  1. Additional Details (Optional)

In this section, you can specify metadata attributes related to the data source:

  • Location: The location of the data source.

  • Purpose: The purpose of the data being collected/processed.

  • Stage: The stage of the data source. Example: Source, Processing, Archival, etc

Figure 4. DynamoDB - Basic Configuration

  1. Enter Connection Details

Provide the following details in the Connection section:

  • Access Key: The AWS IAM user's access key to authenticate with DynamoDB.

  • Secret Key: The AWS IAM user's secret key for authentication.

  1. Click Test Connection to validate the credentials. If successful, you will see a Test Connection Success message.

  2. Click Next to proceed.

Fig 5. DynamoDB - Connection details

  1. Configure Scan Settings

  • Set Scan Frequency

    • Scan Every: Select the scan interval (e.g., 1 Month).

    • Scan Day: Select a specific day for scanning between Day 1 to the last day of the month.

    The default start time is 12:00 AM UTC.

Fig 6. DynamoDB - Scan Settings - Frequency

In the next step, you will see a list of databases presented from your DynamoDB cluster.

  1. Select Databases to Scan

You can choose to scan:

a. All current and future databases – This ensures any new databases added in the future are included automatically.

b. Selected databases only – Manually select specific databases for scanning.

Fig 8. DynamoDB - Scanning Scope

i. Adding Databases to the Inclusion / Scan List

If you choose Scan selected databases only, follow these steps to select databases:

  • Search for a Database: Use the search box to find the database you want to include.

  • Add Database to the Scan List: Click the “+ Add to Inclusion / Scan List” button to add the selected database to the scan list. The selected database will then appear in the list below.

  • Review and Confirm: The added databases will be displayed in the Inclusion / Scan List section. In this example, us-east-2 is selected for scanning.

  • Remove a Database (If Needed): If you want to remove a database, click the trash bin icon next to it.

  1. Once you have selected the databases, click Save to proceed.

Fig 7. DynamoDB - Database Selection

  1. Finally, click on Start Sampling to connect to the DynamoDB datasource.

APPENDIX

Minimal permissions setup

To facilitate the scanning of DynamoDB tables with Lightbeam, a user possessing read-only access is required.

This entails creating an IAM user within AWS and assigning the AmazonDynamoDBReadOnlyAccess permission to this user.

Once established, the Access Key and Secret Key associated with this IAM user can be employed to enable Lightbeam to perform database scans.

Note:

If the DynamoDB is KMS encrypted, then the following permission needs to be added to the policy. All keys that are used for encryption need to be specified in the Resource field.

{
	"Sid": "VisualEditor6",
	"Effect": "Allow",
	"Action": [
		"kms:Decrypt",	
	],
	"Resource": "arn:aws:kms:<AWS region>:<account_id>:key/<key_id>"
}

Validate permissions to the database

Next, the user needs to validate these permissions to the database. This ensures authorized access to the database by the credentials provided by the user. After validating the permissions to the database, the user can configure LightBeam Spectra on the system.

Steps

  1. First, clone the repository https://github.com/lightbeamai/lb-installer

  2. Go into sql_user_check_dynamodb directory.

  3. Please refer to the README.md file in the directory for detailed instructions.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].

PreviousOracleNextMongoDB

Last updated