Using identity-based policies (IAM policies) with Amazon DynamoDB - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using identity-based policies (IAM policies) with Amazon DynamoDB

This topic covers using identity-based Amazon Identity and Access Management (IAM) policies with Amazon DynamoDB and provides examples. The examples show how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Amazon DynamoDB resources.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your DynamoDB resources. For more information, see Overview of managing access permissions to your Amazon DynamoDB Resources.

The sections in this topic cover the following:

The following is an example of a permissions policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" } ] }

The preceding policy has one statement that grants permissions for three DynamoDB actions (dynamodb:DescribeTable, dynamodb:Query, and dynamodb:Scan) on a table in the us-west-2 Amazon Region, which is owned by the Amazon account specified by account-id. The Amazon Resource Name (ARN) in the Resource value specifies the table that the permissions apply to.

IAM permissions required to use the Amazon DynamoDB console

To work with the DynamoDB console, a user must have a minimum set of permissions that allow the user to work with their Amazon account's DynamoDB resources. In addition to these DynamoDB permissions, the console requires permissions:

  • Amazon CloudWatch permissions to display metrics and graphs.

  • Amazon Data Pipeline permissions to export and import DynamoDB data.

  • Amazon Identity and Access Management permissions to access roles necessary for exports and imports.

  • Amazon Simple Notification Service permissions to notify you whenever a CloudWatch alarm is triggered.

  • Amazon Lambda permissions to process DynamoDB Streams records.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the DynamoDB console, also attach the AmazonDynamoDBReadOnlyAccess Amazon managed policy to the user, as described in Amazon managed (predefined) IAM policies for Amazon DynamoDB.

You don't need to allow minimum console permissions for users who are making calls only to the Amazon CLI or the Amazon DynamoDB API.

Amazon managed (predefined) IAM policies for Amazon DynamoDB

Amazon addresses some common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate which permissions are needed. For more information, see Amazon Managed Policies in the IAM User Guide.

The following Amazon managed policies, which you can attach to users in your account, are specific to DynamoDB and are grouped by use-case scenario:

  • AmazonDynamoDBReadOnlyAccess – Grants read-only access to DynamoDB resources through the Amazon Web Services Management Console.

  • AmazonDynamoDBFullAccess – Grants full access to DynamoDB resources through the Amazon Web Services Management Console.

You can review these Amazon managed permissions policies by signing in to the IAM console and searching for specific policies there.

Important

The best practice is to create custom IAM policies that grant least-privilege to the IAM users, roles, or groups that require them.

Customer managed policy examples

In this section, you can find policy examples that grant permissions for various DynamoDB actions. These policies work when you use Amazon SDKs or the Amazon CLI. When you use the console, you need to grant additional permissions that are specific to the console. For more information, see IAM permissions required to use the Amazon DynamoDB console.

Note

All of the following policy examples use one of the Amazon Regions and contain fictitious account IDs and table names.

Examples:

The IAM User Guide, includes three additional DynamoDB examples: