Menu
AWS Identity and Access Management
User Guide

Amazon DynamoDB: Allows Row-Level Access to DynamoDB Based on an Amazon Cognito ID

This example shows how you might create a policy that allows row-level access to a specific DynamoDB table based on an Amazon Cognito ID. To use this policy, replace the red text in the example policy with your own information.

To use this policy, you must structure your DynamoDB table so the Cognito user ID is the partition key. For more information, see Creating a Table in the Amazon DynamoDB Developer Guide.

To learn more about DynamoDB condition keys, see Specifying Conditions: Using Condition Keys in the Amazon DynamoDB Developer Guide.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<ACCOUNTNUMBER>:table/<TABLE-NAME>" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] }