What is Fine-grained access control in DynamoDB?

DynamoDBquery~5 mins

Fine-grained access control in DynamoDB

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Fine-grained access control lets you decide exactly who can see or change each piece of data. It helps keep your data safe and private.

When you want users to only see their own data in a shared database.

When different users have different permissions for parts of the data.

When you want to limit access to sensitive information like personal details.

When you want to control who can update or delete specific records.

When you need to follow rules or laws about data privacy.

Syntax

DynamoDB

Use IAM policies with condition keys like dynamodb:LeadingKeys or dynamodb:Attributes to control access.
Example:
{
  "Effect": "Allow",
  "Action": "dynamodb:GetItem",
  "Resource": "arn:aws:dynamodb:region:account-id:table/TableName",
  "Condition": {
    "ForAllValues:StringEquals": {
      "dynamodb:LeadingKeys": ["${aws:username}"]
    }
  }
}

Fine-grained access control is set using IAM policies with special DynamoDB condition keys.

The dynamodb:LeadingKeys condition limits access to items with partition keys matching the user's identity.

Examples

This policy lets a user read only the orders where the partition key matches their username.

DynamoDB

{
  "Effect": "Allow",
  "Action": "dynamodb:GetItem",
  "Resource": "arn:aws:dynamodb:region:account-id:table/Orders",
  "Condition": {
    "ForAllValues:StringEquals": {
      "dynamodb:LeadingKeys": ["${aws:username}"]
    }
  }
}

This policy allows users to update or delete only their own profile data.

DynamoDB

{
  "Effect": "Allow",
  "Action": ["dynamodb:UpdateItem", "dynamodb:DeleteItem"],
  "Resource": "arn:aws:dynamodb:region:account-id:table/Profiles",
  "Condition": {
    "ForAllValues:StringEquals": {
      "dynamodb:LeadingKeys": ["${aws:username}"]
    }
  }
}

Sample Program

This IAM policy allows a user to get items from the Tasks table only if the partition key matches their username. This means users can only read their own tasks.

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "dynamodb:GetItem",
      "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Tasks",
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": ["${aws:username}"]
        }
      }
    }
  ]
}

OutputSuccess

Important Notes

Fine-grained access control requires your table's partition key to be designed to support user-based access.

Always test your policies with different users to make sure access is correctly limited.

Summary

Fine-grained access control lets you control access to individual items in DynamoDB tables.

It uses IAM policies with conditions like dynamodb:LeadingKeys to restrict access based on keys.

This helps keep data private and secure for each user.