Amazon managed policies for Amazon DynamoDB - Amazon DynamoDB
Amazon managed policiesAmazonDynamoDBReadOnlyAccessDynamoDB updates to Amazon managed policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon DynamoDB

DynamoDB uses Amazon managed policies to define a set of permissions the service needs to perform specific actions. DynamoDB maintains and updates its Amazon managed policies. You can't change the permissions in Amazon managed policies. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

DynamoDB may occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. An Amazon managed policy is most likely to be updated when a new feature is launched or when new operations become available. DynamoDB will not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.

Amazon managed policy: DynamoDBReplicationServiceRolePolicy

You can’t attach the DynamoDBReplicationServiceRolePolicy policy to your IAM entities. This policy is attached to a service-linked role that allows DynamoDB to perform actions on your behalf. For more information, see Using IAM with global tables.

This policy grants permissions that allow the service-linked role to perform data replication between global table replicas. It also grants administrative permissions to manage global table replicas on your behalf.

Permissions details

This policy grants permissions to do the following:

  • dynamodb – Perform data replication and manage table replicas.

  • application-autoscaling – Retrieve and manage table AutoScaling settings

  • account – Retrieve region status for evaluating replica accessibility.

  • iam – To create the service-linked role for application AutoScaling in the event that the service-linked role does not already exist.

The definition of this managed policy can be found here.

Amazon managed policy: AmazonDynamoDBReadOnlyAccess

You can attach the AmazonDynamoDBReadOnlyAccess policy to your IAM identities.

This policy grants read-only access to Amazon DynamoDB.

Permissions details

This policy includes the following permissions:

  • Amazon DynamoDB – Provides read-only access to Amazon DynamoDB.

  • Amazon DynamoDB Accelerator (DAX) – Provides read-only access to Amazon DynamoDB Accelerator (DAX).

  • Application Auto Scaling – Allows principals to view configurations from Application Auto Scaling. This is required so that users can view automatic scaling policies that are attached to a table.

  • CloudWatch – Allows principals to view metric data and alarms configured in CloudWatch. This is required so users can view the billable table size and CloudWatch alarms that have been configured for a table.

  • Amazon Data Pipeline – Allows principals to view Amazon Data Pipeline and associated objects.

  • Amazon EC2 – Allows principals to view Amazon EC2 VPCs, subnets, and security groups.

  • IAM – Allows principals to view IAM roles.

  • Amazon KMS – Allows principals to view keys configured in Amazon KMS. This is required so users can view Amazon KMS keys that they create and manage in their account.

  • Amazon SNS – Allows principals to list Amazon SNS topics and and subscriptions by topic.

  • Amazon Resource Groups – Allows principals to view resource groups and their queries.

  • Amazon Resource Groups Tagging – Allows principals to list all the tagged or previously tagged resources in a Region.

  • Kinesis – Allows principals to view Kinesis data streams descriptions.

  • Amazon CloudWatch Contributor Insights – Allow principals to view time series data collected by Contributor Insights rules.

To review the policy in JSON format, see AmazonDynamoDBReadOnlyAccess.

DynamoDB updates to Amazon managed policies

This table shows updates to the Amazon access management policies for DynamoDB.

Change Description Date Changed
AmazonDynamoDBReadOnlyAccess update to an existing policy AmazonDynamoDBReadOnlyAccess added the permission dynamodb:GetResourcePolicy. This permission provides access to read resource-based policies attached to DynamoDB resources. March 20, 2024
DynamoDBReplicationServiceRolePolicy update to an existing policy DynamoDBReplicationServiceRolePolicy added the permission dynamodb:GetResourcePolicy. This permission allows the service-linked role to read resource-based policies attached to DynamoDB resources. December 15, 2023
DynamoDBReplicationServiceRolePolicy update to an existing policy DynamoDBReplicationServiceRolePolicy added the permission account:ListRegions. This permission allows the service-linked role to evaluate replica accessibility May 10, 2023
DynamoDBReplicationServiceRolePolicy added to list of managed policies Added information about the managed policy DynamoDBReplicationServiceRolePolicy, which is used by the DynamoDB global tables service-linked role. May 10, 2023
DynamoDB global tables started tracking changes DynamoDB global tables started tracking changes for its Amazon managed policies. May 10, 2023