API operations supported by resource-based policies
This topic lists the API operations that are supported by resource-based policies. However, for cross-account access, you can only use a certain set of DynamoDB APIs through resource-based policies. You can't attach resource-based policies to resource types, such as backups and imports. The IAM actions, which correspond with the APIs operating on these resource types, are excluded from the supported IAM actions in resource-based policies. Because table administrators configure internal table settings within the same account, APIs, such as UpdateTimeToLive and DisableKinesisStreamingDestination, don't support cross-account access through resource-based policies.
The DynamoDB data plane and control plane APIs that support cross-account access also support
table name overloading, which lets you specify the table ARN instead of the table name. You
can specify table ARN in the TableName
parameter of these APIs. However, not all
of these APIs support cross-account access.
The following table lists the API-level support for resource-based policies and cross-account access.
API action | Resource-based policy support | Cross-account support |
---|---|---|
Data Plane - Tables/indexes | ||
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
PartiQL | ||
Yes | No | |
Yes | No | |
Yes | No | |
Control Plane - Tables | ||
No | No | |
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Version 2019.11.21 (Current) global tables | ||
Yes | No | |
Yes | No | |
Version 2017.11.29 (Legacy) global table | ||
No | No | |
No | No | |
No | No | |
No | No | |
No | No | |
No | No | |
Tags | ||
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
Backup/Restore | ||
Yes | No | |
No | No | |
No | No | |
No | No | |
Continuous Backup/Restore (PITR) | ||
Yes | No | |
Yes | No | |
Yes | No | |
Contributor Insights | ||
Yes | No | |
No | No | |
Yes | No | |
Export | ||
No | No | |
Yes | No | |
No | No | |
Import | ||
No | No | |
No | No | |
No | No | |
Kinesis | ||
Yes | No | |
Yes | No | |
Yes | No | |
Yes | No | |
Resource policies | ||
Yes | No | |
Yes | No | |
Yes | No | |
Time-to-Live | ||
Yes | No | |
Yes | No | |
Others | ||
No | No | |
No | No | |
No | No | |
No | No |
The following table lists the API-level support of DynamoDB Streams APIs for resource-based policies and cross-account access.
API action | Resource-based policy support | Cross-account support |
---|---|---|
Yes | Yes | |
Yes | Yes | |
Yes | Yes | |
No | No |