IAM actions supported by resource-based policies - Amazon DynamoDB

IAM actions supported by resource-based policies

IAM actions and cross-account support through resource-based policies is restricted to a certain set of DynamoDB APIs. You can't attach resource-based policies to resource types, such as backups and imports. Also, APIs that operate on these resource types are excluded from the supported IAM actions in resource-based policies. Because table administrators configure internal table settings within the same account, APIs, such as UpdateTimeToLive and DisableKinesisStreamingDestination, don't support cross-account access through resource-based policies.

The DynamoDB data plane and control plane APIs that support cross-account access also support table name overloading, which lets you specify the table ARN instead of the table name. You can specify table ARN in the TableName parameter of these APIs. However, not all of these APIs support cross-account access.

The following table lists the API-level support for resource-based policies and cross-account access.

API action Resource-based policy support Cross-account support
Data Plane - Tables/indexes

DeleteItem

Yes Yes

GetItem

Yes Yes

PutItem

Yes Yes

Query

Yes Yes

Scan

Yes Yes

UpdateItem

Yes Yes

TransactGetItems

Yes Yes

TransactWriteItems

Yes Yes

BatchGetItem

Yes Yes

BatchWriteItem

Yes Yes
PartiQL

BatchExecuteStatement

Yes No

ExecuteStatement

Yes No

ExecuteTransaction

Yes No
Control Plane - Tables

CreateTable

No No

DeleteTable

Yes Yes

DescribeTable

Yes Yes

UpdateTable

Yes Yes
Version 2019.11.21 (Current) global tables

DescribeTableReplicaAutoScaling

Yes No

UpdateTableReplicaAutoScaling

Yes No
Version 2017.11.29 (Legacy) global table

CreateGlobalTable

No No

DescribeGlobalTable

No No

DescribeGlobalTableSettings

No No

ListGlobalTables

No No

UpdateGlobalTable

No No

UpdateGlobalTableSettings

No No
Tags

ListTagsOfResource

Yes Yes

TagResource

Yes Yes

UntagResource

Yes Yes
Backup/Restore

CreateBackup

Yes No

DescribeBackup

No No

DeleteBackup

No No

RestoreTableFromBackup

No No
Continuous Backup/Restore (PITR)

DescribeContinuousBackups

Yes No

RestoreTableToPointInTime

Yes No

UpdateContinuousBackups

Yes No
Contributor Insights

DescribeContributorInsights

Yes No

ListContributorInsights

No No

UpdateContributorInsights

Yes No
Export

DescribeExport

No No

ExportTableToPointInTime

Yes No

ListExports

No No
Import

DescribeImport

No No

ImportTable

No No

ListImports

No No
Kinesis

DescribeKinesisStreamingDestination

Yes No

DisableKinesisStreamingDestination

Yes No

EnableKinesisStreamingDestination

Yes No

UpdateKinesisStreamingDestination

Yes No
Resource policies

GetResourcePolicy

Yes No

PutResourcePolicy

Yes No

DeleteResourcePolicy

Yes No
Time-to-Live

DescribeTimeToLive

Yes No

UpdateTimeToLive

Yes No
Others

DescribeLimits

No No

DescribeEndpoints

No No

ListBackups

No No

ListTables

No No

The following table lists the API-level support of DynamoDB Streams APIs for resource-based policies and cross-account access.

API action Resource-based policy support Cross-account support

DescribeStream

Yes Yes

GetRecords

Yes Yes

GetShardIterator

Yes Yes

ListStreams

No No