AWS Identity and Access Management
User Guide

Amazon DynamoDB: Allows Access to Specific Columns

This example shows how you might create a policy that allows access to the specific DynamoDB columns. To use this policy, replace the red text in the example policy with your own information.

The dynamodb:Select requirement prevents the API action from returning any attributes that aren't allowed, such as from an index projection. To learn more about DynamoDB condition keys, see Specifying Conditions: Using Condition Keys in the Amazon DynamoDB Developer Guide. To learn about using multiple conditions or multiple condition keys within the Condition block of an IAM policy, see Multiple Values in a Condition.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<ACCOUNTNUMBER>:table/<TABLE-NAME>" ], " "Condition": { "ForAllValues:StringEquals": { "dynamodb:Attributes": [ "<COLUMN-NAME-1>", "<COLUMN-NAME-2>", "<COLUMN-NAME-3>" ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES" } } } ] }