- DynamoDB - Home
- DynamoDB - Overview
- DynamoDB - Basic Concepts
- DynamoDB - Environment
- DynamoDB - Operations Tools
- DynamoDB - Data Types
- DynamoDB - Create Table
- DynamoDB - Load Table
- DynamoDB - Query Table
- DynamoDB - Delete Table
- DynamoDB - API Interface
- DynamoDB - Creating Items
- DynamoDB - Getting Items
- DynamoDB - Update Items
- DynamoDB - Delete Items
- DynamoDB - Batch Writing
- DynamoDB - Batch Retrieve
- DynamoDB - Querying
- DynamoDB - Scan
- DynamoDB - Indexes
- Global Secondary Indexes
- Local Secondary Indexes
- DynamoDB - Aggregation
- DynamoDB - Access Control
- DynamoDB - Permissions API
- DynamoDB - Conditions
- Web Identity Federation
- DynamoDB - Data Pipeline
- DynamoDB - Data Backup
- DynamoDB - Monitoring
- DynamoDB - CloudTrail
- DynamoDB - MapReduce
- DynamoDB - Table Activity
- DynamoDB - Error Handling
- DynamoDB - Best Practices
DynamoDB - Permissions API
DynamoDB API offers a large set of actions, which require permissions. In setting permissions, you must establish the actions permitted, resources permitted, and conditions of each.
You can specify actions within the Action field of the policy. Specify resource value within the Resource field of the policy. But do ensure that you use the correct syntax containing the Dynamodb: prefix with the API operation.
For example − dynamodb:CreateTable
You can also employ condition keys to filter permissions.
Permissions and API Actions
Take a good look at the API actions and associated permissions given in the following table −
| API Operation | Necessary Permission |
|---|---|
| BatchGetItem | dynamodb:BatchGetItem |
| BatchWriteItem | dynamodb:BatchWriteItem |
| CreateTable | dynamodb:CreateTable |
| DeleteItem | dynamodb:DeleteItem |
| DeleteTable | dynamodb:DeleteTable |
| DescribeLimits | dynamodb:DescribeLimits |
| DescribeReservedCapacity | dynamodb:DescribeReservedCapacity |
| DescribeReservedCapacityOfferings | dynamodb:DescribeReservedCapacityOfferings |
| DescribeStream | dynamodb:DescribeStream |
| DescribeTable | dynamodb:DescribeTable |
| GetItem | dynamodb:GetItem |
| GetRecords | dynamodb:GetRecords |
| GetShardIterator | dynamodb:GetShardIterator |
| ListStreams | dynamodb:ListStreams |
| ListTables | dynamodb:ListTables |
| PurchaseReservedCapacityOfferings | dynamodb:PurchaseReservedCapacityOfferings |
| PutItem | dynamodb:PutItem |
| Query | dynamodb:Query |
| Scan | dynamodb:Scan |
| UpdateItem | dynamodb:UpdateItem |
| UpdateTable | dynamodb:UpdateTable |
Resources
In the following table, you can review the resources associated with each permitted API action −
| API Operation | Resource |
|---|---|
| BatchGetItem | arn:aws:dynamodb:region:account-id:table/table-name |
| BatchWriteItem | arn:aws:dynamodb:region:account-id:table/table-name |
| CreateTable | arn:aws:dynamodb:region:account-id:table/table-name |
| DeleteItem | arn:aws:dynamodb:region:account-id:table/table-name |
| DeleteTable | arn:aws:dynamodb:region:account-id:table/table-name |
| DescribeLimits | arn:aws:dynamodb:region:account-id:* |
| DescribeReservedCapacity | arn:aws:dynamodb:region:account-id:* |
| DescribeReservedCapacityOfferings | arn:aws:dynamodb:region:account-id:* |
| DescribeStream | arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label |
| DescribeTable | arn:aws:dynamodb:region:account-id:table/table-name |
| GetItem | arn:aws:dynamodb:region:account-id:table/table-name |
| GetRecords | arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label |
| GetShardIterator | arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label |
| ListStreams | arn:aws:dynamodb:region:account-id:table/table-name/stream/* |
| ListTables | * |
| PurchaseReservedCapacityOfferings | arn:aws:dynamodb:region:account-id:* |
| PutItem | arn:aws:dynamodb:region:account-id:table/table-name |
| Query |
arn:aws:dynamodb:region:account-id:table/table-name or arn:aws:dynamodb:region:account-id:table/table-name/index/index-name |
| Scan |
arn:aws:dynamodb:region:account-id:table/table-name or arn:aws:dynamodb:region:account-id:table/table-name/index/index-name |
| UpdateItem | arn:aws:dynamodb:region:account-id:table/table-name |
| UpdateTable | arn:aws:dynamodb:region:account-id:table/table-name |