Create a table with a resource-based policy
You can add a resource-based policy while you create a table by using the DynamoDB console, CreateTable API, AWS CLI, AWS SDK, or an AWS CloudFormation template.
The following example creates a table named MusicCollection
using the create-table
AWS CLI command. This command also includes the
resource-policy
parameter that adds a resource-based policy to the table.
This policy allows the user John
to perform the RestoreTableToPointInTime, GetItem, and PutItem API actions on the table.
Remember to replace the italicized
text with your resource-specific information.
aws dynamodb create-table \ --table-name
MusicCollection
\ --attribute-definitions AttributeName=Artist,AttributeType=S AttributeName=SongTitle,AttributeType=S \ --key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \ --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ --resource-policy \ "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::123456789012
:user/John
\" }, \"Action\": [ \"dynamodb:RestoreTableToPointInTime\", \"dynamodb:GetItem\", \"dynamodb:DescribeTable\" ], \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012
:table/MusicCollection
\" } ] }"
Sign in to the AWS Management Console and open the DynamoDB console at https://console.aws.amazon.com/dynamodb/
. -
On the dashboard, choose Create table.
-
In Table details, enter the table name, partition key, and sort key details.
-
In Table settings, choose Customize settings.
-
(Optional) Specify your options for Table class, Capacity calculator, Read/write capacity settings, Secondary indexes, Encryption at rest, and Deletion protection.
-
In Resource-based policy, add a policy to define the access permissions for the table and its indexes. In this policy, you specify who has access to these resources, and the actions they are allowed to perform on each resource. To add a policy, do one of the following:
-
Type or paste a JSON policy document. For details about the IAM policy language, see Creating policies using the JSON editor in the IAM User Guide.
Tip
To see examples of resource-based policies in the Amazon DynamoDB Developer Guide, choose Policy examples.
-
Choose Add new statement to add a new statement and enter the information in the provided fields. Repeat this step for as many statements as you would like to add.
Important
Make sure that you resolve any security warnings, errors, or suggestions before you save your policy.
The following IAM policy example allows the user
John
to perform the RestoreTableToPointInTime, GetItem, and PutItem API actions on the tableMusicCollection
.Remember to replace the
italicized
text with your resource-specific information.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
123456789012
:user/John
" }, "Action": [ "dynamodb:RestoreTableToPointInTime", "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012
:table/MusicCollection
" } ] } -
-
(Optional) Choose Preview external access in the lower-right corner to preview how your new policy affects public and cross-account access to your resource. Before you save your policy, you can check whether it introduces new IAM Access Analyzer findings or resolves existing findings. If you don’t see an active analyzer, choose Go to Access Analyzer to create an account analyzer in IAM Access Analyzer. For more information, see Preview access.
-
Choose Create table.