Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Using ABAC with DynamoDB tables and indexes

PDF
RSS
Focus mode
Using ABAC with DynamoDB tables and indexes - Amazon DynamoDB
Step 1: Add tags to a DynamoDB tableStep 2: Create an IAM role with a policy including tag-based conditionsStep 3: Test allowed permissions

The following steps show how to set up permissions using ABAC. In this example scenario, you'll add tags to a DynamoDB table and create an IAM role with a policy that includes tag-based conditions. Then, you'll test the allowed permissions on the DynamoDB table by matching the tag conditions.

Step 1: Add tags to a DynamoDB table

You can add tags to new or existing DynamoDB tables using the AWS Management Console, AWS API, AWS Command Line Interface (AWS CLI), AWS SDK, or AWS CloudFormation. For example, the following tag-resource CLI command adds a tag to a table named MusicTable.

aws dynamodb tag-resource —resource-arn arn:aws:dynamodb:us-east-1:123456789012:table/MusicTable —tags Key=environment,Value=staging

Step 2: Create an IAM role with a policy including tag-based conditions

Create an IAM policy using the aws:ResourceTag/tag-key condition key to compare the tag key-value pair that's specified in the IAM policy with the key-value pair that's attached to the table. The following example policy allows users to put or update items in tables if these tables contain the tag key-value pair: "environment": "staging". If a table doesn't have the specified tag key-value pair, these actions are denied.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:UpdateItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/environment": "staging"
                }
            }
        }
    ]
}

Step 3: Test allowed permissions

  1. Attach the IAM policy to a test user or role in your AWS account. Make sure that the IAM principal you use doesn’t already have access to the DynamoDB table through a different policy.

  2. Make sure that your DynamoDB table contains the "environment" tag key with a value of "staging".

  3. Perform the dynamodb:PutItem and dynamodb:UpdateItem actions on the tagged table. These actions should succeed if the "environment": "staging" tag key-value pair is present.

    If you perform these actions on a table that doesn’t have the "environment": "staging" tag key-value pair, your request will fail with an AccessDeniedException.

You can also review the other sample use cases described in the following section to implement ABAC and perform more tests.

On this page

Related resources

Amazon DynamoDB API Reference
Cheat Sheet
Using Amazon DynamoDB with an AWS SDK

Related resources

Amazon DynamoDB API Reference
Cheat Sheet
Using Amazon DynamoDB with an AWS SDK
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.