Minimum IAM Requirements
We recommend using predefined roles for services rather than creating custom IAM policies. Predefined roles for Amazon DynamoDB are
- AmazonDynamoDBReadOnlyAccess-grants read-only access to DynamoDB resources through the AWS Management Console.
- AmazonDynamoDBFullAccess-grants full access to DynamoDB resources through the AWS Management Console.
| IAM Role | Description | |
| dynamodb:ListTables | Required for getting a list of your DynamoDB tables. Used during metadata retrieval to dynamically determine the list of your tables. Note that this action does not support resource-level permissions and requires you to choose All resources (hence the * for "Resource"). In other words, the action dynamodb:ListTables needs a * Resource, and the other actions can be given permission to all the tables arn:aws:dynamodb:us-east-1:987654321098:table/* or to a list of specific tables:
"Resource": [
"arn:aws:dynamodb:us-east-1:987654321098:table/Customers",
"arn:aws:dynamodb:us-east-1:987654321098:table/Orders"
] | |
| dynamodb:DescribeTable | Required for getting metadata about the selected table. Used during table metadata retrieval to dynamically determine the list of the columns. This action supports resource-level permissions, so you can specify the tables you want to get the metadata from. For example, for the table Customers and Orders in the region Northern Virginia us-east-1, for account 987654321098:
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:987654321098:table/Customers",
"arn:aws:dynamodb:us-east-1:987654321098:table/Orders"
]
}
To give permissions to all the tables in the region you specified in the connection property AWSRegion, use an * instead of the table name: "Resource": "arn:aws:dynamodb:us-east-1:987654321098:table/*" | |
| dynamodb:Scan | Required for getting one or more items by accessing every item in the table. Used for most of the SELECT queries, for example, SELECT * FROM [Customers]. This action supports resource-level permissions, so you can specify the tables you want to get data from, similar to dynamodb:DescribeTable. | |
| dynamodb:PartiQLSelect | Required for getting specific items from a table when using SELECT queries and filtering by the primary key column, for example, SELECT * FROM [Customers] WHERE id=1234. This action supports resource-level permissions, so you can specify the tables you want to get data from, similar to dynamodb:DescribeTable. | |
| dynamodb:PartiQLInsert | Required for inserting data to a table. This action supports resource-level permissions, so you can specify the tables you want to insert data to, similar to dynamodb:DescribeTable. | |
| dynamodb:PartiQLUpdate | Required for modifying data in a table. This action supports resource-level permissions, so you can specify the tables you want to modify data on, similar to dynamodb:DescribeTable. | |
| dynamodb:PartiQLDelete | Required for deleting data from a table. This action supports resource-level permissions, so you can specify the tables you want to delete data from, similar to dynamodb:DescribeTable. | |
| dynamodb:CreateTable | Required for creating a table. This action supports resource-level permissions, so you can specify the table names you can create. |