Troubleshooting common ABAC errors for DynamoDB tables and indexes - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting common ABAC errors for DynamoDB tables and indexes

This topic provides troubleshooting advice for common errors and issues that you might encounter while implementing ABAC in DynamoDB tables or indexes.

Service-specific condition keys aren't considered as valid condition keys. If you've used such keys in your policies, these will result in an error. To fix this issue, you must replace the service-specific condition keys with an appropriate condition key to implement ABAC in DynamoDB.

For example, say that you've used the dynamodb:ResourceTag condition key in an inline policy that performs the PutItem request. Imagine that the request fails with an AccessDeniedException. The following example shows the erroneous inline policy with the dynamodb:ResourceTag condition key.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem" ], "Resource": "arn:aws-cn:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "dynamodb:ResourceTag/Owner": "John" } } } ] }

To fix this issue, replace the dynamodb:ResourceTag condition key with aws:ResourceTag, as shown in the following example.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem" ], "Resource": "arn:aws-cn:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "John" } } } ] }

If ABAC was enabled for your account through Amazon Web Services Support, you won't be able to opt out of ABAC through the DynamoDB console. To opt out, contact Amazon Web Services Support.

You can opt out of ABAC yourself only if the following are true: