IAM policies for Amazon DynamoDB - Amazon Step Functions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM policies for Amazon DynamoDB

The following example templates show how Amazon Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see IAM Policies for integrated services and Service integration patterns.

Static resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:[[region]]:[[accountId]]:table/[[tableName]]"
            ]
        }
    ]
}

Dynamic resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": "*"
        }
    ]
}

For more information about the IAM policies for all DynamoDB API actions, see IAM policies with DynamoDB in the Amazon DynamoDB Developer Guide. Additionally, for information about the IAM policies for PartiQL for DynamoDB, see IAM policies with PartiQL for DynamoDB in the Amazon DynamoDB Developer Guide.