Using IAM with DynamoDB global tables

When you create a global table for the first time, Amazon DynamoDB automatically creates an AWS Identity and Access Management (IAM) service-linked role for you. This role is named AWSServiceRoleForDynamoDBReplication, and it allows DynamoDB to manage cross-Region replication for global tables on your behalf. Don't delete this service-linked role. If you do, all of your global tables will no longer function.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

To create replica tables in DynamoDB, you must have the following permissions in the source region.

To create replica tables in DynamoDB, you must have the following permissions in destination regions.

To delete replica tables in DynamoDB, you must have the following permissions in the destination regions.

To update replica auto scaling policy through UpdateTableReplicaAutoScaling, you must have the following permissions in all Regions where table replicas exist

To use UpdateTimeToLive you must have permission for dynamodb:UpdateTimeToLive in all Regions where table replicas exist.

Example: Add replica

The following IAM policy grants permissions to allow you to add replicas to a global table.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable",
                "dynamodb:CreateTableReplica",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*"
        }
    ]
}

Example: Update AutoScaling policy

The following IAM policy grants permissions to allow you to update replica auto scaling policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:RegisterScalableTarget",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:DescribeScheduledActions",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:PutScheduledAction",
                "application-autoscaling:DeregisterScalableTarget"
            ],
            "Resource": "*"
        }
    ]
}

Example: Allow replica creations for a specific table name and regions

The following IAM policy grants permissions to allow table and replica creation for Customers table with replicas in three Regions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",                
                "dynamodb:UpdateTable"
            ],
            
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/Customers",
                "arn:aws:dynamodb:us-west-1:123456789012:table/Customers",
                "arn:aws:dynamodb:eu-east-2:123456789012:table/Customers"
            ]
        }
    ]
}