Cross-account access with resource-based policies
Using a resource-based policy, you can provide cross-account access to resources available
in different Amazon Web Services accounts. All cross-account access allowed by the resource-based policies
will be reported through IAM Access Analyzer external access findings if you have an analyzer in the
same Amazon Web Services Region as the resource. IAM Access Analyzer runs policy checks to validate your policy
against IAM policy
grammar and best practices.
These checks generate findings and provide actionable recommendations to help you author
policies that are functional and conform to security best practices. You can view the active
findings from IAM Access Analyzer in the Permissions tab of the
DynamoDB console
For information about validating policies by using IAM Access Analyzer, see IAM Access Analyzer policy validation in the IAM User Guide. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see IAM Access Analyzer policy check reference.
To grant GetItem permission to a user A in account A for accessing a table B in account B, perform the following steps:
-
Attach a resource-based policy to table B that grants permission to user A for performing the
GetItem
action. -
Attach an identity-based policy to user A that grants it permission to perform the
GetItem
action on table B.
Using the Preview external access option available in DynamoDB console
The table name parameter in the DynamoDB data plane and control plane APIs accept complete Amazon Resource Name (ARN) of the table to support cross-account operations. If you only provide the table name parameter instead of a complete ARN, the API operation will be performed on the table in the account to which the requestor belongs. For an example of a policy that uses cross-account access, see Resource-based policy for cross-account access.
The resource owner’s account will be charged even when a principal from another account is reading from or writing to the DynamoDB table in the owner’s account. If the table has provisioned throughput, the sum of all the requests from the owner accounts and the requestors in other accounts will determine if the request will be throttled (if autoscaling is disabled) or scaled up/down if autoscaling is enabled.
The requests will be logged in the CloudTrail logs of both the owner and the requestor accounts so that each of the two accounts can track which account accessed what data.
Note
The cross-account access of control plane APIs has a lower transactions per second (TPS) limit of 500 requests.