Attach a policy to an DynamoDB existing table - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Attach a policy to an DynamoDB existing table

You can attach a resource-based policy to an existing table or modify an existing policy by using the DynamoDB console, PutResourcePolicy API, the Amazon CLI, Amazon SDK, or an Amazon CloudFormation template.

The following IAM policy example uses the put-resource-policy Amazon CLI command to attach a resource-based policy to an existing table. This example allows the user John to perform the GetItem, PutItem, UpdateItem, and UpdateTable API actions on an existing table named MusicCollection.

Remember to replace the italicized text with your resource-specific information.

aws dynamodb put-resource-policy \
    --resource-arn arn:aws-cn:dynamodb:us-west-2:123456789012:table/MusicCollection \
    --policy \
        "{
            \"Version\": \"2012-10-17\",
            \"Statement\": [
              {
                    \"Effect\": \"Allow\",
                    \"Principal\": {
                        \"AWS\": \"arn:aws-cn:iam::111122223333:user/John\"
                    },
                    \"Action\": [
                        \"dynamodb:GetItem\",
                        \"dynamodb:PutItem\",
                        \"dynamodb:UpdateItem\",
                        \"dynamodb:UpdateTable\"
                    ],
                    \"Resource\": \"arn:aws-cn:dynamodb:us-west-2:123456789012:table/MusicCollection\"
                }
            ]
        }"

To conditionally update an existing resource-based policy of a table, you can use the optional expected-revision-id parameter. The following example will only update the policy if it exists in DynamoDB and its current revision ID matches the provided expected-revision-id parameter.

aws dynamodb put-resource-policy \
    --resource-arn arn:aws-cn:dynamodb:us-west-2:123456789012:table/MusicCollection \
    --expected-revision-id 1709841168699 \ 
    --policy \
        "{
            \"Version\": \"2012-10-17\",
            \"Statement\": [
              {
                    \"Effect\": \"Allow\",
                    \"Principal\": {
                        \"AWS\": \"arn:aws-cn:iam::111122223333:user/John\"
                    },
                    \"Action\": [
                        \"dynamodb:GetItem\",
                        \"dynamodb:UpdateItem\",
                        \"dynamodb:UpdateTable\"
                    ],
                    \"Resource\": \"arn:aws-cn:dynamodb:us-west-2:123456789012:table/MusicCollection\"
                }
            ]
        }"

  1. Sign in to the Amazon Web Services Management Console and open the DynamoDB console at https://console.amazonaws.cn/dynamodb/.

  2. From the dashboard, choose an existing table.

  3. Navigate to the Permissions tab, and choose Create table policy.

  4. In the resource-based policy editor, add the policy you would like to attach and choose Create policy.

    The following IAM policy example allows the user John to perform the GetItem, PutItem, UpdateItem, and UpdateTable API actions on an existing table named MusicCollection.

    Remember to replace the italicized text with your resource-specific information.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws-cn:iam::111122223333:user/John"
      },
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:UpdateTable"
      ],
      "Resource": "arn:aws-cn:dynamodb:us-west-2:123456789012:table/MusicCollection"
    }
  ]
}

The following IAM policy example uses the putResourcePolicy method to attach a resource-based policy to an existing table. This policy allows a user to perform the GetItem API action on an existing table.

import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
import software.amazon.awssdk.services.dynamodb.model.DynamoDbException;
import software.amazon.awssdk.services.dynamodb.model.PutResourcePolicyRequest;

/**
 * Before running this Java V2 code example, set up your development
 * environment, including your credentials.
 *
 * For more information, see the following documentation topic:
 *
 * Get started with the Amazon SDK for Java 2.x
 */
public class PutResourcePolicy {

    public static void main(String[] args) {
        final String usage = """

                Usage:
                    <tableArn> <allowedAWSPrincipal>

                Where:
                    tableArn - The Amazon DynamoDB table ARN to attach the policy to. For example, arn:aws-cn:dynamodb:us-west-2:123456789012:table/MusicCollection.
                    allowedAmazonPrincipal - Allowed Amazon principal ARN that the example policy will give access to. For example, arn:aws-cn:iam::123456789012:user/John.
                """;

        if (args.length != 2) {
            System.out.println(usage);
            System.exit(1);
        }

        String tableArn = args[0];
        String allowedAWSPrincipal = args[1];
        System.out.println("Attaching a resource-based policy to the Amazon DynamoDB table with ARN " +
                tableArn);
        Region region = Region.US_WEST_2;
        DynamoDbClient ddb = DynamoDbClient.builder()
                .region(region)
                .build();

        String result = putResourcePolicy(ddb, tableArn, allowedAWSPrincipal);
        System.out.println("Revision ID for the attached policy is " + result);
        ddb.close();
    }

    public static String putResourcePolicy(DynamoDbClient ddb, String tableArn, String allowedAWSPrincipal) {
        String policy = generatePolicy(tableArn, allowedAWSPrincipal);
        PutResourcePolicyRequest request = PutResourcePolicyRequest.builder()
                .policy(policy)
                .resourceArn(tableArn)
                .build();

        try {
            return ddb.putResourcePolicy(request).revisionId();
        } catch (DynamoDbException e) {
            System.err.println(e.getMessage());
            System.exit(1);
        }

        return "";
    }

    private static String generatePolicy(String tableArn, String allowedAWSPrincipal) {
        return "{\n" +
                "    \"Version\": \"2012-10-17\",\n" +
                "    \"Statement\": [\n" +
                "        {\n" +
                "            \"Effect\": \"Allow\",\n" +
                "            \"Principal\": {\"AWS\":\"" + allowedAWSPrincipal + "\"},\n" +
                "            \"Action\": [\n" +
                "                \"dynamodb:GetItem\"\n" +
                "            ],\n" +
                "            \"Resource\": \"" + tableArn + "\"\n" +
                "        }\n" +
                "    ]\n" +
                "}";
    }
}