When you create a global table for the first time, Amazon DynamoDB automatically creates an
AWS Identity and Access Management (IAM) service-linked role for you. This role is named
AWSServiceRoleForDynamoDBReplication
For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.
To create replica tables in DynamoDB, you must have the following permissions in the source region.
-
dynamodb:UpdateTable
To create replica tables in DynamoDB, you must have the following permissions in destination regions.
-
dynamodb:CreateTable
-
dynamodb:CreateTableReplica
-
dynamodb:Scan
-
dynamodb:Query
-
dynamodb:UpdateItem
-
dynamodb:PutItem
-
dynamodb:GetItem
-
dynamodb:DeleteItem
-
dynamodb:BatchWriteItem
To delete replica tables in DynamoDB, you must have the following permissions in the destination regions.
-
dynamodb:DeleteTable
-
dynamodb:DeleteTableReplica
To update replica auto scaling policy through
UpdateTableReplicaAutoScaling
, you must have the following permissions
in all Regions where table replicas exist
-
application-autoscaling:DeleteScalingPolicy
-
application-autoscaling:DeleteScheduledAction
-
application-autoscaling:DeregisterScalableTarget
-
application-autoscaling:DescribeScalableTargets
-
application-autoscaling:DescribeScalingActivities
-
application-autoscaling:DescribeScalingPolicies
-
application-autoscaling:DescribeScheduledActions
-
application-autoscaling:PutScalingPolicy
-
application-autoscaling:PutScheduledAction
-
application-autoscaling:RegisterScalableTarget
To use UpdateTimeToLive
you must have permission for
dynamodb:UpdateTimeToLive
in all Regions where table replicas
exist.
Example: Add replica
The following IAM policy grants permissions to allow you to add replicas to a global table.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"dynamodb:CreateTableReplica",
"iam:CreateServiceLinkedRole"
],
"Resource": "*"
}
]
}
Example: Update AutoScaling policy
The following IAM policy grants permissions to allow you to update replica auto scaling policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:DeregisterScalableTarget"
],
"Resource": "*"
}
]
}
Example: Allow replica creations
for a specific table name and regions
The following IAM policy grants permissions to allow table and replica creation for
Customers
table with replicas in three Regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/Customers",
"arn:aws:dynamodb:us-west-1:123456789012:table/Customers",
"arn:aws:dynamodb:eu-east-2:123456789012:table/Customers"
]
}
]
}