Menu
Amazon DynamoDB
Developer Guide (API Version 2012-08-10)

DynamoDB API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each DynamoDB API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your DynamoDB policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

In addition to the AWS-wide condition keys, DynamoDB has its own specific keys that you can use in conditions. For more information, see Using IAM Policy Conditions for Fine-Grained Access Control.

Note

To specify an action, use the dynamodb: prefix followed by the API operation name (for example, dynamodb:CreateTable).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Amazon DynamoDB API and Required Permissions for Actions

DynamoDB API OperationsRequired Permissions (API Actions)Resources
BatchGetItem dynamodb:BatchGetItem arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
BatchWriteItem dynamodb:BatchWriteItem arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
CreateTable dynamodb:CreateTable arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
DeleteItemdynamodb:DeleteItem arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
DeleteTable dynamodb:DeleteTable arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
DescribeLimitsdynamodb:DescribeLimitsarn:aws:dynamodb:region:account-id:*
DescribeReservedCapacitydynamodb:DescribeReservedCapacityarn:aws:dynamodb:region:account-id:*
DescribeReservedCapacityOfferingsdynamodb:DescribeReservedCapacityOfferingsarn:aws:dynamodb:region:account-id:*
DescribeStream dynamodb:DescribeStream arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label

or

arn:aws:dynamodb:region:account-id:table/table-name/stream/*
DescribeTabledynamodb:DescribeTable arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
GetItemdynamodb:GetItem arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
GetRecords dynamodb:GetRecords arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label

or

arn:aws:dynamodb:region:account-id:table/table-name/stream/*
GetShardIterator dynamodb:GetShardIteratorarn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label

or

arn:aws:dynamodb:region:account-id:table/table-name/stream/*
ListStreams dynamodb:ListStreams arn:aws:dynamodb:region:account-id:table/table-name/stream/*

or

arn:aws:dynamodb:region:account-id:table/*/stream/*
ListTablesdynamodb:ListTables*
PurchaseReservedCapacityOfferingsdynamodb:PurchaseReservedCapacityOfferingsarn:aws:dynamodb:region:account-id:*
PutItemdynamodb:PutItem arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
Querydynamodb:Query

To query a table:

arn:aws:dynamodb:region:account-id:table/table-name

or:

arn:aws:dynamodb:region:account-id:table/table-name

To query an index:

arn:aws:dynamodb:region:account-id:table/table-name/index/index-name

or:

arn:aws:dynamodb:region:account-id:table/table-name/index/*
Scan dynamodb:Scan

To scan a table:

arn:aws:dynamodb:region:account-id:table/table-name

or:

arn:aws:dynamodb:region:account-id:table/table-name

To scan an index:

arn:aws:dynamodb:region:account-id:table/table-name/index/index-name

or:

arn:aws:dynamodb:region:account-id:table/table-name/index/*
UpdateItem dynamodb:UpdateItem arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*
UpdateTable dynamodb:UpdateTable arn:aws:dynamodb:region:account-id:table/table-name

or

arn:aws:dynamodb:region:account-id:table/*