Cross-account access with resource-based policies - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-account access with resource-based policies

Using a resource-based policy, you can provide cross-account access to resources available in different Amazon Web Services accounts. All cross-account access allowed by the resource-based policies will be reported through IAM Access Analyzer external access findings if you have an analyzer in the same Amazon Web Services Region as the resource. IAM Access Analyzer runs policy checks to validate your policy against IAM policy grammar and best practices. These checks generate findings and provide actionable recommendations to help you author policies that are functional and conform to security best practices. You can view the active findings from IAM Access Analyzer in the Permissions tab of the DynamoDB console.

For information about validating policies by using IAM Access Analyzer, see IAM Access Analyzer policy validation in the IAM User Guide. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see IAM Access Analyzer policy check reference.

To grant GetItem permission to a user A in account A for accessing a table B in account B, perform the following steps:

  1. Attach a resource-based policy to table B that grants permission to user A for performing the GetItem action.

  2. Attach an identity-based policy to user A that grants it permission to perform the GetItem action on table B.

Using the Preview external access option available in DynamoDB console, you can preview how your new policy affects public and cross-account access to your resource. Before you save your policy, you can check whether it introduces new IAM Access Analyzer findings or resolves existing findings. If you don’t see an active analyzer, choose Go to Access Analyzer to create an account analyzer in IAM Access Analyzer. For more information, see Preview access.

The table name parameter in the DynamoDB data plane and control plane APIs accept complete Amazon Resource Name (ARN) of the table to support cross-account operations. If you only provide the table name parameter instead of a complete ARN, the API operation will be performed on the table in the account to which the requestor belongs. For an example of a policy that uses cross-account access, see Resource-based policy for cross-account access.

The resource owner’s account will be charged even when a principal from another account is reading from or writing to the DynamoDB table in the owner’s account. If the table has provisioned throughput, the sum of all the requests from the owner accounts and the requestors in other accounts will determine if the request will be throttled (if autoscaling is disabled) or scaled up/down if autoscaling is enabled.

The requests will be logged in the CloudTrail logs of both the owner and the requestor accounts so that each of the two accounts can track which account accessed what data.

Note

The cross-account access of control plane APIs has a lower transactions per second (TPS) limit of 500 requests.