Amazon DynamoDB integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:
Create users and groups under your AWS account
Easily share your AWS resources between the users in your AWS account
Assign unique security credentials to each user
Control each user's access to services and resources
Get a single bill for all users in your AWS account
For more information about IAM, see the following:
You can use IAM to grant access to DynamoDB resources and API actions. To do this, you first write an IAM policy, which is a document that explicitly lists the permissions you want to grant. You then attach that policy to an IAM user or role.
For example, an IAM user named Joe could create a DynamoDB table, and then write an IAM policy to allow read-only access to this table. Joe could then apply that policy to selected IAM users, groups or roles in his AWS account. These recipients would then have read-only access to Joe's table.
To create and manage IAM policies, go to the IAM console at https://console.aws.amazon.com/iam/.
For examples of IAM policies that cover DynamoDB actions and resources, see:
When writing IAM policies for DynamoDB, you use Amazon Resource Names (ARNs) to refer to individual tables and indexes. If you want to write an IAM policy for a particular table, you specify an ARN with the table name, the region in which the table is located, and the owners' AWS account number.
Here is an example ARN for a table named Books, which is located in us-west-2 and is owned by AWS account number 12345678012:
Here is another example ARN for an index named TitleIndex on the Books table:
To find your AWS account number, go to the AWS Management Console and click My
Account. Your AWS account number is shown in the upper right portion
of the Manage Your Account page. The account number is
formatted using dashes (for example,
1234-5678-9012); however, if you
use it in an ARN, be sure to remove the dashes (for example,
You can use resource-level ARNs in IAM policies for all DynamoDB actions, with the exception of ListTables. The ListTables action returns the table names owned by the current account making the request for the current region; it is the only DynamoDB action that does not support resource-level ARN policies.
In an IAM policy, you can specify any of the actions in the DynamoDB API. You must prefix each action name with the
dynamodb:. Here are some examples:
To refer to all of the DynamoDB actions, use an asterisk:
For a list of all actions, go to the Amazon DynamoDB API Reference.
In IAM, a condition is composed of a condition type and an operator. The following condition types are available:
Date and time
Amazon Resource Name (ARN)
Existence of condition keys
The operators that are available depend on the condition type being used. For
example, with a String value, you can specify
You can optionally specify a set operator in a condition. The following IAM set operators are available:
ForAnyValue — Returns true if any one of the key
values matches any one of the condition values.
ForAllValues — Returns true if there's a match
between every one of the specified key values and at least one condition
The following IAM policy keys are available for DynamoDB and other AWS services.
Policy Keys Specific to DynamoDB
dynamodb:LeadingKeys – Represents the first key
attribute of a table. For a hash type or a hash-and-range type primary key,
LeadingKeys is just the hash key.
LeadingKeys is plural, even if it is used with
single-item actions. In addition, note that you must use the
ForAllValues modifier when using
LeadingKeys in a
dynamodb:Select – Represents the
Select parameter of a
Select can be any of the
dynamodb:Attributes – Represents a list of the attribute
names in a request, or the attributes that are returned from a request. The
Attributes is expressed as the parameter name of a DynamoDB
|Parameter Name||API Actions That Use This Parameter|
dynamodb:ReturnValues – Represents the
ReturnValues parameter of a request.
ReturnValues can be any of the following values:
dynamodb:ReturnConsumedCapacity – Represents the
ReturnConsumedCapacity parameter of a request.
ReturnConsumedCapacity can be one of the following
In addition to product-specific policy keys, DynamoDB supports the following keys that are common to other AWS services that use AWS Identity and Access Management:
AWS-Wide Policy Keys
aws:CurrentTime—To check for date/time conditions.
aws:EpochTime—To check for date/time conditions using a
date in epoch or UNIX time.
aws:MultiFactorAuthAge—To check how long ago (in
seconds) the MFA-validated security credentials making the request were
issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is
not used, this key is not present.
aws:principaltype—To check the type of principal (user, account,
federated user, etc.) for the current request.
aws:SecureTransport—To check whether the request was sent using SSL. For services that use only
SSL, such as Amazon RDS and Amazon Route 53, the
aws:SecureTransport key has no meaning.
aws:SourceArn—To check the source of the request, using the Amazon
Resource Name (ARN) of the source. (This value is available for only some
services. For more information,
Amazon Resource Name (ARN)
under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)
aws:SourceIp—To check the IP address of the requester. Note that if
aws:SourceIp, and the request comes from an Amazon EC2
instance, the public IP address of the instance is evaluated.
aws:UserAgent—To check the client application that made
aws:userid—To check the user ID of the requester.
aws:username—To check the user name of the requester, if available.
Key names are case sensitive.