Using IAM to Control Access to DynamoDB Resources
Amazon DynamoDB integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:
Create users and groups under your AWS account
Easily share your AWS resources between the users in your AWS account
Assign unique security credentials to each user
Control each user's access to services and resources
Get a single bill for all users in your AWS account
For more information about IAM, see the following:
You can use IAM to grant access to DynamoDB resources and API actions. To do this, you first write an IAM policy, which is a document that explicitly lists the permissions you want to grant. You then attach that policy to an IAM user or role.
For example, an IAM user named Joe could create a DynamoDB table, and then write an IAM policy to allow read-only access to this table. Joe could then apply that policy to selected IAM users, groups or roles in his AWS account. These recipients would then have read-only access to Joe's table.
To create and manage IAM policies, go to the IAM console at https://console.aws.amazon.com/iam/.
For examples of IAM policies that cover DynamoDB actions and resources, see:
Amazon Resource Names (ARNs) for DynamoDB
When writing IAM policies for DynamoDB, you use Amazon Resource Names (ARNs) to refer to individual tables and indexes. If you want to write an IAM policy for a particular table, you specify an ARN with the table name, the region in which the table is located, and the owners' AWS account number.
Here is an example ARN for a table named Books, which is located in us-west-2 and is owned by AWS account number 12345678012:
Here is another example ARN for an index named TitleIndex on the Books table:
To find your AWS account number, go to the AWS Management Console and click My
Account. Your AWS account number is shown in the upper right portion
of the Manage Your Account page. The account number is
formatted using dashes (for example,
1234-5678-9012); however, if you
use it in an ARN, be sure to remove the dashes (for example,
You can use resource-level ARNs in IAM policies for all DynamoDB actions, with the exception of ListTables. The ListTables action returns the table names owned by the current account making the request for the current region; it is the only DynamoDB action that does not support resource-level ARN policies.
In an IAM policy, you can specify any of the actions in the DynamoDB API. You must prefix each action name with the
dynamodb:. Here are some examples:
For a list of API actions, see the Amazon DynamoDB API Reference.
DynamoDB allows customers to purchase Reserved Capacity, as described at http://aws.amazon.com/dynamodb/pricing. With Reserved Capacity, you pay a one-time upfront fee and commit to paying for a minimum usage level, at significant savings, over a period of time. The following actions are available for controlling access to Reserved Capacity management:
To refer to all of the DynamoDB actions, use an asterisk:
Condition Types and Operators
In IAM, a condition is composed of a condition type and an operator. The following condition types are available:
Date and time
Amazon Resource Name (ARN)
Existence of condition keys
The operators that are available depend on the condition type being used. For
example, with a String value, you can specify
You can optionally specify a set operator in a condition. The following IAM set operators are available:
ForAnyValue— Returns true if any one of the key values matches any one of the condition values.
ForAllValues— Returns true if there's a match between every one of the specified key values and at least one condition value.
IAM Policy Keys
The following IAM policy keys are available for DynamoDB and other AWS services.
Policy Keys Specific to DynamoDB
dynamodb:LeadingKeys –Represents the first key attribute of a table. For a hash type or a hash-and-range type primary key,
LeadingKeysis just the hash key.
LeadingKeysis plural, even if it is used with single-item actions. In addition, note that you must use the
ForAllValuesmodifier when using
LeadingKeysin a condition.
dynamodb:Select –Represents the Select parameter of a
Selectcan be any of the following values:
dynamodb:Attributes –Represents a list of the attribute names in a request, or the attributes that are returned from a request. The value for
Attributesis expressed as the parameter name of a DynamoDB action.
Parameter Name API Actions That Use This Parameter
BatchGetItem, GetItem, Query, Scan
DeleteItem, PutItem, UpdateItem
dynamodb:ReturnValues –Represents the ReturnValues parameter of a request.
ReturnValuescan be any of the following values:
dynamodb:ReturnConsumedCapacity –Represents the ReturnConsumedCapacity parameter of a request.
ReturnConsumedCapacitycan be one of the following values:
In addition to product-specific policy keys, DynamoDB supports the following keys that are common to other AWS services that use AWS Identity and Access Management:
AWS-Wide Policy Keys
aws:CurrentTime—To check for date/time conditions.
aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.
aws:MultiFactorAuthAge—To check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is not used, this key is not present.
aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.
aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, the
aws:SecureTransportkey has no meaning.
aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)
aws:SourceIp—To check the IP address of the requester. Note that if you use
aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.
aws:UserAgent—To check the client application that made the request.
aws:userid—To check the user ID of the requester.
aws:username—To check the user name of the requester, if available.
Key names are case sensitive.