Actions, resources, and condition keys for Amazon DynamoDB
Amazon DynamoDB (service prefix: dynamodb
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon DynamoDB
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
BatchGetItem | Returns the attributes of one or more items from one or more tables | Read | |||
BatchWriteItem | Puts or deletes multiple items in one or more tables | Write | |||
ConditionCheckItem | The ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key | Read | |||
CreateBackup | Creates a backup for an existing table | Write | |||
CreateGlobalTable | Enables the user to create a global table from an existing table | Write | |||
CreateTable | The CreateTable operation adds a new table to your account | Write | |||
CreateTableReplica | Adds a new replica table | Write | |||
DeleteBackup | Deletes an existing backup of a table | Write | |||
DeleteItem | Deletes a single item in a table by primary key | Write | |||
DeleteTable | The DeleteTable operation deletes a table and all of its items | Write | |||
DeleteTableReplica | Deletes a replica table and all of its items | Write | |||
DescribeBackup | Describes an existing backup of a table | Read | |||
DescribeContinuousBackups | Checks the status of the backup restore settings on the specified table | Read | |||
DescribeContributorInsights | Describes the contributor insights status and related details for a given table or global secondary index | Read | |||
DescribeExport | Describes an existing Export of a table | Read | |||
DescribeGlobalTable | Returns information about the specified global table | Read | |||
DescribeGlobalTableSettings | Returns settings information about the specified global table | Read | |||
DescribeKinesisStreamingDestination | Grants permission to describe the status of Kinesis streaming and related details for a given table | Read | |||
DescribeLimits | Returns the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there | Read | |||
DescribeReservedCapacity | Describes one or more of the Reserved Capacity purchased | Read | |||
DescribeReservedCapacityOfferings | Describes Reserved Capacity offerings that are available for purchase | Read | |||
DescribeStream | Returns information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table | Read | |||
DescribeTable | Returns information about the table | Read | |||
DescribeTableReplicaAutoScaling | Describes the auto scaling settings across all replicas of the global table | Read | |||
DescribeTimeToLive | Gives a description of the Time to Live (TTL) status on the specified table. | Read | |||
DisableKinesisStreamingDestination | Grants permission to stop replication from the DynamoDB table to the Kinesis data stream | Write | |||
EnableKinesisStreamingDestination | Grants permission to start table data replication to the specified Kinesis data stream at a timestamp chosen during the enable workflow | Write | |||
ExportTableToPointInTime | Initiates an Export of a DynamoDB table to S3 | Write | |||
GetItem | The GetItem operation returns a set of attributes for the item with the given primary key | Read | |||
GetRecords | Retrieves the stream records from a given shard | Read | |||
GetShardIterator | Returns a shard iterator | Read | |||
ListBackups | List backups associated with the account and endpoint | List | |||
ListContributorInsights | Lists the ContributorInsightsSummary for all tables and global secondary indexes associated with the current account and endpoint | List | |||
ListExports | List exports associated with the account and endpoint | List | |||
ListGlobalTables | Lists all global tables that have a replica in the specified region | List | |||
ListStreams | Returns an array of stream ARNs associated with the current account and endpoint | Read | |||
ListTables | Returns an array of table names associated with the current account and endpoint | List | |||
ListTagsOfResource | List all tags on an Amazon DynamoDB resource | Read | |||
PartiQLDelete | Grants permission to delete a single item in a table by primary key | Write | |||
PartiQLInsert | Grants permission to create a new item, if an item with same primary key does not exist in the table | Write | |||
PartiQLSelect | Grants permission to read a set of attributes for items from a table or index | Read | |||
PartiQLUpdate | Grants permission to edit an existing item's attributes | Write | |||
PurchaseReservedCapacityOfferings | Purchases Reserved Capacity for use with your account | Write | |||
PutItem | Creates a new item, or replaces an old item with a new item | Write | |||
Query | Uses the primary key of a table or a secondary index to directly access items from that table or index | Read | |||
RestoreTableFromBackup | Creates a new table from an existing backup | Write | |||
RestoreTableToPointInTime | Restores a table to a point in time | Write | |||
Scan | Returns one or more items and item attributes by accessing every item in a table or a secondary index | Read | |||
TagResource | Associate a set of tags with an Amazon DynamoDB resource | Tagging | |||
UntagResource | Removes the association of tags from an Amazon DynamoDB resource. | Tagging | |||
UpdateContinuousBackups | Enables or disables continuous backups | Write | |||
UpdateContributorInsights | Updates the status for contributor insights for a specific table or global secondary index | Write | |||
UpdateGlobalTable | Enables the user to add or remove replicas in the specified global table | Write | |||
UpdateGlobalTableSettings | Enables the user to update settings of the specified global table | Write | |||
UpdateItem | Edits an existing item's attributes, or adds a new item to the table if it does not already exist | Write | |||
UpdateTable | Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table | Write | |||
UpdateTableReplicaAutoScaling | Updates auto scaling settings on your replica table | Write | |||
UpdateTimeToLive | Enables or disables TTL for the specified table | Write |
Resource types defined by Amazon DynamoDB
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
Resource types | ARN | Condition keys |
---|---|---|
index |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/index/${IndexName}
|
|
stream |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/stream/${StreamLabel}
|
|
table |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}
|
|
backup |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/backup/${BackupName}
|
|
export |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/export/${exportName}
|
|
global-table |
arn:${Partition}:dynamodb::${Account}:global-table/${GlobalTableName}
|
Condition keys for Amazon DynamoDB
Amazon DynamoDB defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
For information about how to use context keys to refine DynamoDB access using an IAM policy, see Using IAM Policy Conditions for Fine-Grained Access Control in the Amazon DynamoDB Developer Guide.
Condition keys | Description | Type |
---|---|---|
dynamodb:Attributes | Filter based on the attribute (field or column) names of the table. | String |
dynamodb:EnclosingOperation | Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa. | String |
dynamodb:FullTableScan | Used to block full table scan. | Bool |
dynamodb:LeadingKeys | Filters based on the partition key of the table. | String |
dynamodb:ReturnConsumedCapacity | Filter based on the ReturnConsumedCapacity parameter of a request. Contains either "TOTAL" or "NONE". | String |
dynamodb:ReturnValues | Filter based on the ReturnValues parameter of request. Contains one of the following: "ALL_OLD", "UPDATED_OLD","ALL_NEW","UPDATED_NEW", or "NONE". | String |
dynamodb:Select | Filter based on the Select parameter of a Query or Scan request. | String |