Using identity-based policies with Amazon DynamoDB

This topic covers using identity-based AWS Identity and Access Management (IAM) policies with Amazon DynamoDB and provides examples. The examples show how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Amazon DynamoDB resources.

The sections in this topic cover the following:

• IAM permissions required to use the Amazon DynamoDB console

• AWS managed (predefined) IAM policies for Amazon DynamoDB

• Customer managed policy examples

The following is an example of a permissions policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeQueryScanBooksTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books"
        }
    ]
}

The preceding policy has one statement that grants permissions for three DynamoDB actions (dynamodb:DescribeTable, dynamodb:Query, and dynamodb:Scan) on a table in the us-west-2 AWS Region, which is owned by the AWS account specified by account-id. The Amazon Resource Name (ARN) in the Resource value specifies the table that the permissions apply to.

IAM permissions required to use the Amazon DynamoDB console

To work with the DynamoDB console, a user must have a minimum set of permissions that allow the user to work with their AWS account's DynamoDB resources. In addition to these DynamoDB permissions, the console requires permissions:

• Amazon CloudWatch permissions to display metrics and graphs.

• AWS Data Pipeline permissions to export and import DynamoDB data.

• AWS Identity and Access Management permissions to access roles necessary for exports and imports.

• Amazon Simple Notification Service permissions to notify you whenever a CloudWatch alarm is triggered.

• AWS Lambda permissions to process DynamoDB Streams records.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the DynamoDB console, also attach the AmazonDynamoDBReadOnlyAccess AWS managed policy to the user, as described in AWS managed (predefined) IAM policies for Amazon DynamoDB.

You don't need to allow minimum console permissions for users who are making calls only to the AWS CLI or the Amazon DynamoDB API.

Note

If you refer to a VPC endpoint, you will also need to authorize the DescribeEndpoints API call for the requesting IAM principal(s) with the IAM action (dynamodb:DescribeEndpoints). For more information see Required policy for endpoints.

AWS managed (predefined) IAM policies for Amazon DynamoDB

AWS addresses some common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate which permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to DynamoDB and are grouped by use-case scenario:

• AmazonDynamoDBReadOnlyAccess – Grants read-only access to DynamoDB resources through the AWS Management Console.

• AmazonDynamoDBFullAccess – Grants full access to DynamoDB resources through the AWS Management Console.

You can review these AWS managed permissions policies by signing in to the IAM console and searching for specific policies there.

Important

The best practice is to create custom IAM policies that grant least-privilege to the users, roles, or groups that require them.

Customer managed policy examples

In this section, you can find policy examples that grant permissions for various DynamoDB actions. These policies work when you use AWS SDKs or the AWS CLI. When you use the console, you need to grant additional permissions that are specific to the console. For more information, see IAM permissions required to use the Amazon DynamoDB console.

Note

All of the following policy examples use one of the AWS Regions and contain fictitious account IDs and table names.

Examples:

• IAM policy to grant permissions to all DynamoDB actions on a table

• IAM policy to grant read-only permissions on items in a DynamoDB table

• IAM policy to grant access to a specific DynamoDB table and its indexes

• IAM policy to read, write, update, and delete access on a DynamoDB table

• IAM policy to separate DynamoDB environments in the same AWS account

• IAM policy to prevent the purchase of DynamoDB reserved capacity

• IAM policy to grant read access for a DynamoDB stream only (not for the table)

• IAM policy to allow an AWS Lambda function to access DynamoDB stream records

• IAM policy for read and write access to a DynamoDB Accelerator (DAX) cluster

The IAM User Guide, includes three additional DynamoDB examples:

• Amazon DynamoDB: Allows Access to a Specific Table

• Amazon DynamoDB: Allows Access to Specific Columns

• Amazon DynamoDB: Allows Row-Level Access to DynamoDB Based on an Amazon Cognito ID