What is IAM policy for DynamoDB?

DynamoDBquery~5 mins

IAM policy for DynamoDB

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

An IAM policy controls who can access your DynamoDB tables and what actions they can perform. It helps keep your data safe by giving only the right people permission.

You want to allow an application to read and write data in a specific DynamoDB table.

You need to restrict a user to only view items in a DynamoDB table but not change them.

You want to let a service create or delete DynamoDB tables automatically.

You want to prevent unauthorized users from accessing your DynamoDB data.

You want to give temporary access to DynamoDB for a specific task.

Syntax

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow" | "Deny",
      "Action": ["dynamodb:ActionName"],
      "Resource": "arn:aws:dynamodb:region:account-id:table/table-name"
    }
  ]
}

The Effect can be either Allow or Deny.

The Action specifies what DynamoDB operations are allowed or denied.

Examples

This policy allows putting and getting items only in the MyTable table.

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:PutItem", "dynamodb:GetItem"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
    }
  ]
}

This policy denies deleting items from the MyTable table.

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["dynamodb:DeleteItem"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
    }
  ]
}

This policy allows scanning all DynamoDB tables in the specified account and region.

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "dynamodb:Scan",
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/*"
    }
  ]
}

Sample Program

This IAM policy allows full read and write access to the DynamoDB table named Books in the us-east-1 region for the AWS account 123456789012.

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:GetItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Books"
    }
  ]
}

OutputSuccess

Important Notes

Always specify the exact table ARN in the Resource to limit access.

Use Allow to grant permissions and Deny to block them explicitly.

Test policies with least privilege to avoid giving too many permissions.

Summary

An IAM policy controls who can do what with your DynamoDB tables.

Use Action to specify allowed or denied DynamoDB operations.

Always limit access by specifying the table Resource ARN.