AWS Documentation » Amazon DynamoDB » Developer Guide » Controlling Access to Amazon DynamoDB Resources	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Controlling Access to Amazon DynamoDB Resources

Amazon DynamoDB integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:

Create users and groups under your AWS account
Easily share your AWS resources between the users in your AWS account
Assign unique security credentials to each user
Control each user's access to services and resources
Get a single bill for all users in your AWS account

For more information about IAM, see the following:

For Amazon DynamoDB, IAM lets you give other users of your AWS Account access to Amazon DynamoDB tables within the AWS Account. For example, Joe can create an Amazon DynamoDB table, and then write an IAM policy specifying which Users in his AWS Account can access that table. Joe can't give another AWS Account (or Users in another AWS Account) access to his AWS Account's Amazon DynamoDB tables.

For examples of policies that cover Amazon DynamoDB operations and resources, see Example Policies for Amazon DynamoDB.

Amazon Resource Names (ARNs) for Amazon DynamoDB

Amazon DynamoDB supports IAM policies using ARNs per table, and require the account ID (found on your Account Activity page beneath the account name), as well. Use the following ARN Resource format.

"Resource": "arn:aws:dynamodb:<region>:<accountID>:table/<tablename>"

When you use the Query API on a Local Secondary Index by passing in the IndexName parameter, the ARN includes the name of the index in the following format.

"Resource": "arn:aws:dynamodb:<region>:<accountID>:table/<tablename>/index/<indexname>"

Note

The ListTables API, which lists the table names owned by the current account making the request for the current the region, is the only operation that does not support resource-level ARN policies.

Amazon DynamoDB Actions

In an IAM policy, you can specify any and all operations that Amazon DynamoDB offers. You must prefix each action name with the lowercase string dynamodb:. For example: dynamodb:GetItem, dynamodb:Query, dynamodb:* (for all Amazon DynamoDB operations). For a list of the operations, see Using the Amazon DynamoDB API.

Amazon DynamoDB Keys

Amazon DynamoDB implements the following policy keys, but no product-specific ones. For more information about policy keys, see Condition.

AWS-Wide Policy Keys

aws:CurrentTime—To check for date/time conditions.
aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.
aws:MultiFactorAuthAge—To check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is not used, this key is not present.
aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.
aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning.
aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)
aws:SourceIp—To check the IP address of the requester. Note that if you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.
aws:UserAgent—To check the client application that made the request.
aws:userid—To check the user ID of the requester.
aws:username—To check the user name of the requester, if available.

Note

Key names are case sensitive.

Example Policies for Amazon DynamoDB

This section shows several simple policies for controlling User access to Amazon DynamoDB tables.

Example 1: Allow a group to use any Amazon DynamoDB actions on all tables

In this example, we create a policy that lets the group use any operation on any of the AWS Account's tables.

{
   "Statement":[{
      "Effect":"Allow",
      "Action":"dynamodb:*",
      "Resource":"*"
      }
   ]
}

Example 2: Allow a group to get data from items in the AWS Account's tables

In this example, we create a policy that lets the group use only the GetItem and BatchGetItem operations with any of the AWS Account's tables.

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["dynamodb:GetItem","dynamodb:BatchGetItem"],
      "Resource":"*"
      }
   ]
}

Example 3: Allow one account to put, update, and delete items in one table

In this example, we create a policy that lets the recipient use the PutItem, UpdateItem and DeleteItem actions with a table named "books_table", which is owned by AWS Account number 123456789.

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["dynamodb:PutItem","dynamodb:UpdateItem","dynamodb:DeleteItem"],
      "Resource":"arn:aws:dynamodb:us-west-2:123456789:table/books_table"
      }
   ]
}

Example 4: Deny a partner operations that change data

IAM Roles provide a way to share a table with another AWS Account. For details on creating a Role and granting access to another AWS Account, see Roles in the IAM documentation.

In this example, we create an IAM Role for the partner, and create a policy for the Role that gives access to all the operations except those that edit data; essentially, they have read-only access. Attach the following policy to the IAM Role:

{
   "Statement":[{
         "Effect":"Allow",
         "Action":["dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:BatchGetItem",
             "dynamodb:Query", "dynamodb:Scan"],
         "Resource":"*"
      }
   ]
}

Note

This example uses an Allow action and enumerates each of the "read" operations supported by Amazon DynamoDB. An alternative approach could use a Deny action and enumerate each of the "write" operations. However, the illustrated Allow approach is recommended because new "write" operations may be added to Amazon DynamoDB in the future, which could result unintended access with the Deny approach.

Example 5: Separating Production and Test Environments – Using IAM Variables

Suppose you maintain separate production and test environments where each environment maintains its own version of a table named ProductCatalog . If you create these tables from the same AWS account, testing work might affect the production environment, because, for example, the limits on concurrent create and delete operations are set at the AWS account level. As a result, each operation in the test environment reduces the number of operations that are available in your production environment. There is also a risk that the code in your test environment might accidentally access tables in the production environment. To prevent these issues, you might consider creating separate AWS accounts for the production and testing.

Suppose further that you have two developers, Bob and Alice, who are testing the ProductCatalog table. Instead of creating a separate AWS account for every developer, your developers can share the same test account. You might create a copy of the same table for each developer, such as Bob_ProductCatalog and Alice_ProductCatalog . In this case, you can create IAM users Bob and Alice in the AWS account that you created for the test environment. You can then allow these users to perform DynamoDB actions on to the tables that they own. You have the following policy options to grant the user permissions:

Create a separate policy for each user and attach the policy to the users separately. For example, you can attach the following policy to user Alice to allow her access to all DynamoDB actions on the Alice_ProductCatalog table.
```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["dynamodb:*"],
         "Resource":"arn:aws:dynamodb:us-west-2:123456789:table/Alice_ProductCatalog"
      }
   ]
}    
```
You would then create a similar policy with a different resource ( Bob_ProductCatalog table) for user Bob.
To test these policies in your own environment, you will need to replace the example account ID "123456789" with your AWS account ID. If you want to test them on the Amazon DynamoDB console, the console requires permission for additional Amazon DynamoDB, Amazon CloudWatch, and Amazon Simple Notification Services actions, as shown in the following policy:
```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["dynamodb:*"],
         "Resource":"arn:aws:dynamodb:us-west-2:123456789:table/Alice_ProductCatalog"
      },
      {
         "Effect":"Allow",
         "Action":["dynamodb:ListTables", "dynamodb:DescribeTable", "cloudwatch:*", "sns:*"],
         "Resource":"*"
      }
   ]
}    
```
Instead of attaching policies to individual users, you can use policy variables to write a single policy and attach it a group. You will need to create a group and, for this example, add both users Alice and user Bob to the group. The following example allows all Amazon DynamoDB actions on the ${aws:username}_ProductCatalog table. The placeholder policy variable ${aws:username} is replaced by the requester's user name when the policy is evaluated. For example, if Alice sends a request to add an item, the action is allowed only if Alice is adding item to the Alice_ProductCatalog table.
```
 {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["dynamodb:*"],
         "Resource":"arn:aws:dynamodb:us-west-2:123456789:table/${aws:username}_ProductCatalog"
      },
      {
         "Effect":"Allow",
         "Action":["dynamodb:ListTables", "dynamodb:DescribeTable", "cloudwatch:*", "sns:*"],
         "Resource":"*"
      }
   ]
}     
```

Note

When using policy variables, you must explicitly specify version 2012-10-17 in the policy. The default version of the access policy language, 2008-10-17, does not support policy variables.

Note that, instead of identifying a specific table as a resource, you could use a wild card (*) to grant permissions on all tables whose name is prefixed with the name of the IAM user who is logged making the request.

"Resource":"arn:aws:dynamodb:us-west-2:123456789:table/${aws:username}_*"

Example 6: Allow read-only access to a specific table and all of its indexes

You may want to limit access of one of your Users to a specific table and its indexes.

In this example, we create an IAM User and create a policy for the User that gives access to all operations on the table named "books_table" and all of its indexes. To test this policy in your own environment, you will need to replace the example account ID "123456789" with your AWS account ID.

{
   "Statement":[{
         "Effect":"Allow",
         "Action":["dynamodb:*"],
         "Resource": ["arn:aws:dynamodb:us-west-2:123456789:table/books_table", 
                      "arn:aws:dynamodb:us-west-2:123456789:table/books_table/index/*"]
      }
   ]
}

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...