Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Using IAM with DynamoDB global tables

PDF
RSS
Focus mode
Using IAM with DynamoDB global tables - Amazon DynamoDB
Example: Add replica Example: Update AutoScaling policy Example: Allow replica creations for a specific table name and regions

When you create a global table for the first time, Amazon DynamoDB automatically creates an AWS Identity and Access Management (IAM) service-linked role for you. This role is named AWSServiceRoleForDynamoDBReplication, and it allows DynamoDB to manage cross-Region replication for global tables on your behalf. Don't delete this service-linked role. If you do, all of your global tables will no longer function.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

To create replica tables in DynamoDB, you must have the following permissions in the source region.

  • dynamodb:UpdateTable

To create replica tables in DynamoDB, you must have the following permissions in destination regions.

  • dynamodb:CreateTable

  • dynamodb:CreateTableReplica

  • dynamodb:Scan

  • dynamodb:Query

  • dynamodb:UpdateItem

  • dynamodb:PutItem

  • dynamodb:GetItem

  • dynamodb:DeleteItem

  • dynamodb:BatchWriteItem

To delete replica tables in DynamoDB, you must have the following permissions in the destination regions.

  • dynamodb:DeleteTable

  • dynamodb:DeleteTableReplica

To update replica auto scaling policy through UpdateTableReplicaAutoScaling, you must have the following permissions in all Regions where table replicas exist

  • application-autoscaling:DeleteScalingPolicy

  • application-autoscaling:DeleteScheduledAction

  • application-autoscaling:DeregisterScalableTarget

  • application-autoscaling:DescribeScalableTargets

  • application-autoscaling:DescribeScalingActivities

  • application-autoscaling:DescribeScalingPolicies

  • application-autoscaling:DescribeScheduledActions

  • application-autoscaling:PutScalingPolicy

  • application-autoscaling:PutScheduledAction

  • application-autoscaling:RegisterScalableTarget

To use UpdateTimeToLive you must have permission for dynamodb:UpdateTimeToLive in all Regions where table replicas exist.

Example: Add replica

The following IAM policy grants permissions to allow you to add replicas to a global table.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable",
                "dynamodb:CreateTableReplica",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*"
        }
    ]
}

Example: Update AutoScaling policy

The following IAM policy grants permissions to allow you to update replica auto scaling policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:RegisterScalableTarget",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:DescribeScheduledActions",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:PutScheduledAction",
                "application-autoscaling:DeregisterScalableTarget"
            ],
            "Resource": "*"
        }
    ]
}

Example: Allow replica creations for a specific table name and regions

The following IAM policy grants permissions to allow table and replica creation for Customers table with replicas in three Regions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",                
                "dynamodb:UpdateTable"
            ],
            
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/Customers",
                "arn:aws:dynamodb:us-west-1:123456789012:table/Customers",
                "arn:aws:dynamodb:eu-east-2:123456789012:table/Customers"
            ]
        }
    ]
}

On this page

Related resources

Amazon DynamoDB API Reference
Cheat Sheet
Using Amazon DynamoDB with an AWS SDK

Related resources

Amazon DynamoDB API Reference
Cheat Sheet
Using Amazon DynamoDB with an AWS SDK
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.