Amazon DynamoDB
Developer Guide (API Version 2012-08-10)

Authentication and Access Control for Amazon DynamoDB

Access to DynamoDB requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as a DynamoDB table or an AWS Lambda function. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and DynamoDB to help secure your resources by controlling who can access them:


When you sign up for AWS, you provide an email address and password that are associated with your AWS account. These are your root credentials and they provide complete access to all of your AWS resources.

For security reasons, we recommend that you use these root credentials for the first time only to create an administrator user with full permissions to your AWS account (see IAM Best Practices). You can then use this administrator user to create other IAM users and roles with limited permissions. For instructions, see Creating an Administrators Group in the IAM User Guide.

An IAM user is simply an identity within your AWS account that you create in the IAM service that has specific custom permissions (for example, permission to create a DynamoDB table). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.

You can also generate access keys for each user that can be used to authenticate requests when accessing AWS services programmatically either through one of the several SDKs or by using the AWS Command Line Interface (CLI). Using the access keys that you provide, the SDK and CLI tools cryptographically sign your request. If you don’t use the AWS tools, you must sign the request yourself. DynamoDB supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.

Instead of creating an IAM user, you can also use pre-existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are referred to as federated users. Federated users access AWS services and resources through an IAM role, which is similar to an IAM user, but is not associated with a specific person. Instead, a role is assigned to a federated user dynamically when the user requests access through an identity provider. Note that IAM roles can also be used for other purposes, such as granting other AWS accounts permissions to access your account’s resources. A federated user is associated with an IAM role that enables them to obtain temporary access keys, which they use to authenticate requests. For more information about federated users, see Federated Users and Roles in the IAM User Guide.

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access DynamoDB resources. For example, you must have permissions to create a DynamoDB table, read and write data in a table, and allow an AWS Lambda function to process records from DynamoDB Streams.

The following sections describe how to manage permissions for DynamoDB. We recommend that you read the overview first.