Amazon DynamoDB
Developer Guide (API Version 2012-08-10)

Using IAM to Control Access to DynamoDB Resources

Amazon DynamoDB integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:

  • Create users and groups under your AWS account

  • Easily share your AWS resources between the users in your AWS account

  • Assign unique security credentials to each user

  • Control each user's access to services and resources

  • Get a single bill for all users in your AWS account

For more information about IAM, see the following:

You can use IAM to grant access to DynamoDB resources and API actions. To do this, you first write an IAM policy, which is a document that explicitly lists the permissions you want to grant. You then attach that policy to an IAM user or role.

For example, an IAM user named Joe could create a DynamoDB table, and then write an IAM policy to allow read-only access to this table. Joe could then apply that policy to selected IAM users, groups or roles in his AWS account. These recipients would then have read-only access to Joe's table.

To create and manage IAM policies, go to the IAM console at

For examples of IAM policies that cover DynamoDB actions and resources, see:

Amazon Resource Names (ARNs) for DynamoDB

When writing IAM policies for DynamoDB, you use Amazon Resource Names (ARNs) to refer to individual tables and indexes. If you want to write an IAM policy for a particular table, you specify an ARN with the table name, the region in which the table is located, and the owners' AWS account number.

Here is an example ARN for a table named Books, which is located in us-west-2 and is owned by AWS account number 12345678012:

"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"

Here is another example ARN for an index named TitleIndex on the Books table:

"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books/index/TitleIndex"


To find your AWS account number, go to the AWS Management Console and click My Account. Your AWS account number is shown in the upper right portion of the Manage Your Account page. The account number is formatted using dashes (for example, 1234-5678-9012); however, if you use it in an ARN, be sure to remove the dashes (for example, 123456789012).

You can use resource-level ARNs in IAM policies for all DynamoDB actions, with the exception of ListTables. The ListTables action returns the table names owned by the current account making the request for the current region; it is the only DynamoDB action that does not support resource-level ARN policies.

DynamoDB Actions

In an IAM policy, you can specify any of the actions in the DynamoDB API. You must prefix each action name with the lowercase string dynamodb:. Here are some examples:

  • dynamodb:CreateTable

  • dynamodb:PutItem

  • dynamodb:Query

  • dynamodb:UpdateItem

For a list of API actions, see the Amazon DynamoDB API Reference.

DynamoDB allows customers to purchase Reserved Capacity, as described at With Reserved Capacity, you pay a one-time upfront fee and commit to paying for a minimum usage level, at significant savings, over a period of time. The following actions are available for controlling access to Reserved Capacity management:

  • dynamodb:PurchaseReservedCapacityOfferings

  • dynamodb:DescribeReservedCapacityOfferings

  • dynamodb:DescribeReservedCapacity

To refer to all of the DynamoDB actions, use an asterisk:

  • dynamodb:*

Condition Types and Operators

In IAM, a condition is composed of a condition type and an operator. The following condition types are available:

  • String

  • Numeric

  • Date and time

  • Boolean

  • Binary

  • IP address

  • Amazon Resource Name (ARN)

  • ...IfExists

  • Existence of condition keys

The operators that are available depend on the condition type being used. For example, with a String value, you can specify StringEquals, StringNotEquals, StringEqualsIgnoreCase, StringNotEqualsIgnoreCase, StringLike, or StringNotLike.

You can optionally specify a set operator in a condition. The following IAM set operators are available:

  • ForAnyValue — Returns true if any one of the key values matches any one of the condition values.

  • ForAllValues — Returns true if there's a match between every one of the specified key values and at least one condition value.

For more information about IAM condition types and operators, see the Condition section in IAM User Guide.

IAM Policy Keys

The following IAM policy keys are available for DynamoDB and other AWS services.

Policy Keys Specific to DynamoDB

  • dynamodb:LeadingKeys – Represents the first key attribute of a table. For a simple primary key (partition key) or a composite primary key (partition key and sort key), LeadingKeys is just the partition key.

    Note that LeadingKeys is plural, even if it is used with single-item actions. In addition, note that you must use the ForAllValues modifier when using LeadingKeys in a condition.

  • dynamodb:Select – Represents the Select parameter of a Query or Scan request. Select can be any of the following values:




    • COUNT

  • dynamodb:Attributes – Represents a list of the attribute names in a request, or the attributes that are returned from a request. The value for Attributes is expressed as the parameter name of a DynamoDB action.

    Parameter NameAPI Actions That Use This Parameter
    AttributesToGetBatchGetItem, GetItem, Query, Scan
    ExpectedDeleteItem, PutItem, UpdateItem

  • dynamodb:ReturnValues – Represents the ReturnValues parameter of a request. ReturnValues can be any of the following values:

    • ALL_OLD


    • ALL_NEW


    • NONE

  • dynamodb:ReturnConsumedCapacity – Represents the ReturnConsumedCapacity parameter of a request. ReturnConsumedCapacity can be one of the following values:

    • TOTAL

    • NONE

In addition to product-specific policy keys, DynamoDB supports the following keys that are common to other AWS services that use AWS Identity and Access Management:

AWS-Wide Policy Keys

  • aws:CurrentTime—To check for date/time conditions.

  • aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.

  • aws:MultiFactorAuthAge—To check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is not used, this key is not present.

  • aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.

  • aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning.

  • aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)

  • aws:SourceIp—To check the IP address of the requester. Note that if you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.

  • aws:UserAgent—To check the client application that made the request.

  • aws:userid—To check the user ID of the requester.

  • aws:username—To check the user name of the requester, if available.


Key names are case sensitive.

For more information about AWS-wide policy keys, see Condition in IAM User Guide.