Example: Add replica Example: Update AutoScaling policy Example: Allow replica creations for a specific table name and regions

Using IAM with global tables

When you create a global table for the first time, Amazon DynamoDB automatically creates an AWS Identity and Access Management (IAM) service-linked role for you. This role is named AWSServiceRoleForDynamoDBReplication, and it allows DynamoDB to manage cross-Region replication for global tables on your behalf. Don't delete this service-linked role. If you do, all of your global tables will no longer function.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

To create replica tables in DynamoDB, you must have the following permissions in the source region.

dynamodb:UpdateTable

To create replica tables in DynamoDB, you must have the following permissions in destination regions.

dynamodb:CreateTable
dynamodb:CreateTableReplica
dynamodb:Scan
dynamodb:Query
dynamodb:UpdateItem
dynamodb:PutItem
dynamodb:GetItem
dynamodb:DeleteItem
dynamodb:BatchWriteItem

To delete replica tables in DynamoDB, you must have the following permissions in the destination regions.

dynamodb:DeleteTable
dynamodb:DeleteTableReplica

To update replica auto scaling policy through UpdateTableReplicaAutoScaling, you must have the following permissions in all Regions where table replicas exist

application-autoscaling:DeleteScalingPolicy
application-autoscaling:DeleteScheduledAction
application-autoscaling:DeregisterScalableTarget
application-autoscaling:DescribeScalableTargets
application-autoscaling:DescribeScalingActivities
application-autoscaling:DescribeScalingPolicies
application-autoscaling:DescribeScheduledActions
application-autoscaling:PutScalingPolicy
application-autoscaling:PutScheduledAction
application-autoscaling:RegisterScalableTarget

To use UpdateTimeToLive you must have permission for dynamodb:UpdateTimeToLive in all Regions where table replicas exist.

Example: Add replica

The following IAM policy grants permissions to allow you to add replicas to a global table.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable",
                "dynamodb:CreateTableReplica",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*"
        }
    ]
}

Example: Update AutoScaling policy

The following IAM policy grants permissions to allow you to update replica auto scaling policy.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:RegisterScalableTarget",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:DescribeScheduledActions",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:PutScheduledAction",
                "application-autoscaling:DeregisterScalableTarget"
            ],
            "Resource": "*"
        }
    ]
}

Example: Allow replica creations for a specific table name and regions

The following IAM policy grants permissions to allow table and replica creation for Customers table with replicas in three Regions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",                
                "dynamodb:UpdateTable"
            ],
            
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/Customers",
                "arn:aws:dynamodb:us-west-1:123456789012:table/Customers",
                "arn:aws:dynamodb:eu-east-2:123456789012:table/Customers"
            ]
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Monitoring global tables

Determining the version