Using identity-based policies with Amazon DynamoDB
This topic covers using identity-based Amazon Identity and Access Management (IAM) policies with Amazon DynamoDB and provides examples. The examples show how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Amazon DynamoDB resources.
The sections in this topic cover the following:
The following is an example of a permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" } ] }
The preceding policy has one statement that grants permissions for three DynamoDB
actions (dynamodb:DescribeTable, dynamodb:Query, and
dynamodb:Scan) on a table in the us-west-2 Amazon Region,
which is owned by the Amazon account specified by
account-idResource value specifies the
table that the permissions apply to.
IAM permissions required to use the Amazon DynamoDB console
To work with the DynamoDB console, a user must have a minimum set of permissions that allow the user to work with their Amazon account's DynamoDB resources. In addition to these DynamoDB permissions, the console requires permissions:
-
Amazon CloudWatch permissions to display metrics and graphs.
-
Amazon Data Pipeline permissions to export and import DynamoDB data.
-
Amazon Identity and Access Management permissions to access roles necessary for exports and imports.
-
Amazon Simple Notification Service permissions to notify you whenever a CloudWatch alarm is triggered.
-
Amazon Lambda permissions to process DynamoDB Streams records.
If you create an IAM policy that is more restrictive than the minimum required
permissions, the console won't function as intended for users with that IAM policy.
To ensure that those users can still use the DynamoDB console, also attach the
AmazonDynamoDBReadOnlyAccess Amazon managed policy to the user, as
described in Amazon managed (predefined)
IAM policies for Amazon DynamoDB.
You don't need to allow minimum console permissions for users who are making calls only to the Amazon CLI or the Amazon DynamoDB API.
Note
If you refer to a VPC endpoint, you will also need to authorize the DescribeEndpoints API call for the requesting IAM principal(s) with the IAM action (dynamodb:DescribeEndpoints). For more information see Required policy for endpoints.
Amazon managed (predefined) IAM policies for Amazon DynamoDB
Amazon addresses some common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate which permissions are needed. For more information, see Amazon Managed Policies in the IAM User Guide.
The following Amazon managed policies, which you can attach to users in your account, are specific to DynamoDB and are grouped by use-case scenario:
-
AmazonDynamoDBReadOnlyAccess – Grants read-only access to DynamoDB resources through the Amazon Web Services Management Console.
-
AmazonDynamoDBFullAccess – Grants full access to DynamoDB resources through the Amazon Web Services Management Console.
You can review these Amazon managed permissions policies by signing in to the IAM console and searching for specific policies there.
Important
The best practice is to create custom IAM policies that grant least-privilege to the users, roles, or groups that require them.
Customer managed policy examples
In this section, you can find policy examples that grant permissions for various DynamoDB actions. These policies work when you use Amazon SDKs or the Amazon CLI. When you use the console, you need to grant additional permissions that are specific to the console. For more information, see IAM permissions required to use the Amazon DynamoDB console.
Note
All of the following policy examples use one of the Amazon Regions and contain fictitious account IDs and table names.
Examples:
-
IAM policy to grant permissions to all DynamoDB actions on a table
-
IAM policy to grant read-only permissions on items in a DynamoDB table
-
IAM policy to grant access to a specific DynamoDB table and its indexes
-
IAM policy to read, write, update, and delete access on a DynamoDB table
-
IAM policy to separate DynamoDB environments in the same Amazon account
-
IAM policy to prevent the purchase of DynamoDB reserved capacity
-
IAM policy to grant read access for a DynamoDB stream only (not for the table)
-
IAM policy to allow an Amazon Lambda function to access DynamoDB stream records
-
IAM policy for read and write access to a DynamoDB Accelerator (DAX) cluster
The IAM User Guide, includes three additional DynamoDB examples: