Actions, resources, and condition keys for Amazon DynamoDB - Service Authorization Reference

Actions, resources, and condition keys for Amazon DynamoDB

Amazon DynamoDB (service prefix: dynamodb) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon DynamoDB

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchGetItem Grants permission to return the attributes of one or more items from one or more tables Read

table*

dynamodb:Attributes

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:Select

BatchWriteItem Grants permission to put or delete multiple items in one or more tables Write

table*

dynamodb:Attributes

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

ConditionCheckItem Grants permission to the ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key Read

table*

dynamodb:Attributes

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:ReturnValues

CreateBackup Grants permission to create a backup for an existing table Write

table*

CreateGlobalTable Grants permission to create a global table from an existing table Write

global-table*

table*

CreateTable Grants permission to the CreateTable operation adds a new table to your account Write

table*

CreateTableReplica Grants permission to add a new replica table Write

table*

DeleteBackup Grants permission to delete an existing backup of a table Write

backup*

DeleteItem Grants permission to deletes a single item in a table by primary key Write

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:ReturnValues

DeleteTable Grants permission to the DeleteTable operation which deletes a table and all of its items Write

table*

DeleteTableReplica Grants permission to delete a replica table and all of its items Write

table*

DescribeBackup Grants permission to describe an existing backup of a table Read

backup*

DescribeContinuousBackups Grants permission to check the status of the backup restore settings on the specified table Read

table*

DescribeContributorInsights Grants permission to describe the contributor insights status and related details for a given table or global secondary index Read

table*

index

DescribeExport Grants permission to describe an existing Export of a table Read

export*

DescribeGlobalTable Grants permission to return information about the specified global table Read

global-table*

DescribeGlobalTableSettings Grants permission to return settings information about the specified global table Read

global-table*

DescribeKinesisStreamingDestination Grants permission to grant permission to describe the status of Kinesis streaming and related details for a given table Read

table*

DescribeLimits Grants permission to return the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there Read
DescribeReservedCapacity Grants permission to describe one or more of the Reserved Capacity purchased Read
DescribeReservedCapacityOfferings Grants permission to describe Reserved Capacity offerings that are available for purchase Read
DescribeStream Grants permission to return information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table Read

stream*

DescribeTable Grants permission to return information about the table Read

table*

DescribeTableReplicaAutoScaling Grants permission to describe the auto scaling settings across all replicas of the global table Read

table*

DescribeTimeToLive Grants permission to give a description of the Time to Live (TTL) status on the specified table Read

table*

DisableKinesisStreamingDestination Grants permission to grant permission to stop replication from the DynamoDB table to the Kinesis data stream Write

table*

EnableKinesisStreamingDestination Grants permission to grant permission to start table data replication to the specified Kinesis data stream at a timestamp chosen during the enable workflow Write

table*

ExportTableToPointInTime Grants permission to initiate an Export of a DynamoDB table to S3 Write

table*

GetItem Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key Read

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:Select

GetRecords Grants permission to retrieve the stream records from a given shard Read

stream*

GetShardIterator Grants permission to return a shard iterator Read

stream*

ListBackups Grants permission to list backups associated with the account and endpoint List
ListContributorInsights Grants permission to list the ContributorInsightsSummary for all tables and global secondary indexes associated with the current account and endpoint List
ListExports Grants permission to list exports associated with the account and endpoint List
ListGlobalTables Grants permission to list all global tables that have a replica in the specified region List
ListStreams Grants permission to return an array of stream ARNs associated with the current account and endpoint Read
ListTables Grants permission to return an array of table names associated with the current account and endpoint List
ListTagsOfResource Grants permission to list all tags on an Amazon DynamoDB resource Read

table*

PartiQLDelete Grants permission to delete a single item in a table by primary key Write

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

dynamodb:ReturnValues

PartiQLInsert Grants permission to create a new item, if an item with same primary key does not exist in the table Write

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

PartiQLSelect Grants permission to read a set of attributes for items from a table or index Read

table*

index

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:FullTableScan

dynamodb:LeadingKeys

dynamodb:Select

PartiQLUpdate Grants permission to edit an existing item's attributes Write

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

dynamodb:ReturnValues

PurchaseReservedCapacityOfferings Grants permission to purchases reserved capacity for use with your account Write
PutItem Grants permission to create a new item, or replace an old item with a new item Write

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:ReturnValues

Query Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index Read

table*

index

dynamodb:Attributes

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:ReturnValues

dynamodb:Select

RestoreTableFromAwsBackup Grants permission to create a new table from recovery point on AWS Backup Write

table*

RestoreTableFromBackup Grants permission to create a new table from an existing backup Write

backup*

table*

RestoreTableToPointInTime Grants permission to restore a table to a point in time Write

table*

Scan Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index Read

table*

index

dynamodb:Attributes

dynamodb:ReturnConsumedCapacity

dynamodb:ReturnValues

dynamodb:Select

StartAwsBackupJob Grants permission to create a backup on AWS Backup with advanced features enabled Write

table*

TagResource Grants permission to associate a set of tags with an Amazon DynamoDB resource Tagging

table*

UntagResource Grants permission to remove the association of tags from an Amazon DynamoDB resource Tagging

table*

UpdateContinuousBackups Grants permission to enable or disable continuous backups Write

table*

UpdateContributorInsights Grants permission to update the status for contributor insights for a specific table or global secondary index Write

table*

index

UpdateGlobalTable Grants permission to add or remove replicas in the specified global table Write

global-table*

table*

UpdateGlobalTableSettings Grants permission to update settings of the specified global table Write

global-table*

table*

UpdateItem Grants permission to edit an existing item's attributes, or adds a new item to the table if it does not already exist Write

table*

dynamodb:Attributes

dynamodb:EnclosingOperation

dynamodb:LeadingKeys

dynamodb:ReturnConsumedCapacity

dynamodb:ReturnValues

UpdateTable Grants permission to modify the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table Write

table*

UpdateTableReplicaAutoScaling Grants permission to update auto scaling settings on your replica table Write

table*

UpdateTimeToLive Grants permission to enable or disable TTL for the specified table Write

table*

Resource types defined by Amazon DynamoDB

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
index arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/index/${IndexName}
stream arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/stream/${StreamLabel}
table arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}
backup arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/backup/${BackupName}
export arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/export/${ExportName}
global-table arn:${Partition}:dynamodb::${Account}:global-table/${GlobalTableName}

Condition keys for Amazon DynamoDB

Amazon DynamoDB defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Note

For information about how to use context keys to refine DynamoDB access using an IAM policy, see Using IAM Policy Conditions for Fine-Grained Access Control in the Amazon DynamoDB Developer Guide.

Condition keys Description Type
dynamodb:Attributes Filter based on the attribute (field or column) names of the table String
dynamodb:EnclosingOperation Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa String
dynamodb:FullTableScan Used to block full table scan Bool
dynamodb:LeadingKeys Filters based on the partition key of the table String
dynamodb:ReturnConsumedCapacity Filter based on the ReturnConsumedCapacity parameter of a request. Contains either "TOTAL" or "NONE" String
dynamodb:ReturnValues Filter based on the ReturnValues parameter of request. Contains one of the following: "ALL_OLD", "UPDATED_OLD","ALL_NEW","UPDATED_NEW", or "NONE" String
dynamodb:Select Filter based on the Select parameter of a Query or Scan request String