# Using resource-based policies for DynamoDB
DynamoDB supports resource-based policies for tables, indexes, and streams. Resource-based policies let you define access permissions by specifying who has access to each resource, and the actions they are allowed to perform on each resource.
You can attach a resource-based policy to DynamoDB resources, such as a table or a stream. In this policy, you specify permissions for Identity and Access Management (IAM) [principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) that can perform specific actions on these DynamoDB resources. For example, the policy attached to a table will contain permissions for access to the table and its indexes. As a result, resource-based policies can help you simplify access control for your DynamoDB tables, indexes, and streams, by defining permissions at the resource level. The maximum size of a policy you can attach to a DynamoDB resource is 20 KB.
A significant benefit of using resource-based policies is to simplify cross-account access control for providing cross-account access to IAM principals in different AWS accounts. For more information, see [Resource-based policy for cross-account access](rbac-examples.md#rbac-examples-cross-account).
Resource-based policies also support integrations with [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) external access analyzer and [Block Public Access (BPA)](rbac-bpa-rbp.md) capabilities. IAM Access Analyzer reports cross-account access to external entities specified in resource-based policies. It also provides visibility to help you refine permissions and conform to the least privilege principle. BPA helps you prevent public access to your DynamoDB tables, indexes, and streams, and is automatically enabled in the resource-based policies creation and modification workflows.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/q9sBxrVgq4U?si=0cR4TJIlKvH9Wlu5)
**Topics**
+ [Create a table with a resource-based policy](rbac-create-table.md)
+ [Attach a policy to an DynamoDB existing table](rbac-attach-resource-based-policy.md)
+ [Attach a resource-based policy to a DynamoDB stream](rbac-attach-resource-policy-streams.md)
+ [Remove a resource-based policy from a DynamoDB table](rbac-delete-resource-based-policy.md)
+ [Cross-account access with resource-based policies in DynamoDB](rbac-cross-account-access.md)
+ [Blocking public access with resource-based policies in DynamoDB](rbac-bpa-rbp.md)
+ [DynamoDB API operations supported by resource-based policies](rbac-iam-actions.md)
+ [Authorization with IAM identity-based policies and DynamoDB resource-based policies](rbac-auth-iam-id-based-policies-DDB.md)
+ [DynamoDB resource-based policy examples](rbac-examples.md)
+ [DynamoDB resource-based policy considerations](rbac-considerations.md)
+ [DynamoDB resource-based policy best practices](rbac-best-practices.md)
# Create a table with a resource-based policy
You can add a resource-based policy while you create a table by using the DynamoDB console, [CreateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateTable.html) API, AWS CLI, [AWS SDK](rbac-attach-resource-based-policy.md#rbac-attach-policy-java-sdk), or an CloudFormation template.
## AWS CLI
The following example creates a table named *MusicCollection* using the `create-table` AWS CLI command. This command also includes the `resource-policy` parameter that adds a resource-based policy to the table. This policy allows the user *John* to perform the [RestoreTableToPointInTime](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_RestoreTableToPointInTime.html), [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html), and [PutItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutItem.html) API actions on the table.
Remember to replace the *italicized* text with your resource-specific information.
```
aws dynamodb create-table \
--table-name MusicCollection \
--attribute-definitions AttributeName=Artist,AttributeType=S AttributeName=SongTitle,AttributeType=S \
--key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--resource-policy \
"{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Principal\": {
\"AWS\": \"arn:aws:iam::123456789012:user/John\"
},
\"Action\": [
\"dynamodb:RestoreTableToPointInTime\",
\"dynamodb:GetItem\",
\"dynamodb:DescribeTable\"
],
\"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\"
}
]
}"
```
## AWS Management Console
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. On the dashboard, choose **Create table**.
1. In **Table details**, enter the table name, partition key, and sort key details.
1. In **Table settings**, choose **Customize settings**.
1. (Optional) Specify your options for **Table class**, **Capacity calculator**, **Read/write capacity settings**, **Secondary indexes**, **Encryption at rest**, and **Deletion protection**.
1. In **Resource-based policy**, add a policy to define the access permissions for the table and its indexes. In this policy, you specify who has access to these resources, and the actions they are allowed to perform on each resource. To add a policy, do one of the following:
+ Type or paste a JSON policy document. For details about the IAM policy language, see [Creating policies using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Tip**
To see examples of resource-based policies in the Amazon DynamoDB Developer Guide, choose **Policy examples**.
+ Choose **Add new statement** to add a new statement and enter the information in the provided fields. Repeat this step for as many statements as you would like to add.
**Important**
Make sure that you resolve any security warnings, errors, or suggestions before you save your policy.
The following IAM policy example allows the user *John* to perform the [RestoreTableToPointInTime](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_RestoreTableToPointInTime.html), [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html), and [PutItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutItem.html) API actions on the table *MusicCollection*.
Remember to replace the *italicized* text with your resource-specific information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/username"
},
"Action": [
"dynamodb:RestoreTableToPointInTime",
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection"
}
]
}
```
------
1. (Optional) Choose **Preview external access** in the lower-right corner to preview how your new policy affects public and cross-account access to your resource. Before you save your policy, you can check whether it introduces new IAM Access Analyzer findings or resolves existing findings. If you don’t see an active analyzer, choose **Go to Access Analyzer** to [create an account analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in IAM Access Analyzer. For more information, see [Preview access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-access-preview.html).
1. Choose **Create table**.
## AWS CloudFormation template
------
#### [ Using the AWS::DynamoDB::Table resource ]
The following CloudFormation template creates a table with a stream using the [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html) resource. This template also includes resource-based policies that are attached to both the table and the stream.
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MusicCollectionTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "Artist",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "Artist",
"KeyType": "HASH"
}
],
"BillingMode": "PROVISIONED",
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
},
"StreamSpecification": {
"StreamViewType": "OLD_IMAGE",
"ResourcePolicy": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/John"
},
"Effect": "Allow",
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:DescribeStream"
],
"Resource": "*"
}
]
}
}
},
"TableName": "MusicCollection",
"ResourcePolicy": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/John"
]
},
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "*"
}
]
}
}
}
}
}
}
```
------
#### [ Using the AWS::DynamoDB::GlobalTable resource ]
The following CloudFormation template creates a table with the [AWS::DynamoDB::GlobalTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-globaltable.html) resource and attaches a resource-based policy to the table and its stream.
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"GlobalMusicCollection": {
"Type": "AWS::DynamoDB::GlobalTable",
"Properties": {
"TableName": "MusicCollection",
"AttributeDefinitions": [{
"AttributeName": "Artist",
"AttributeType": "S"
}],
"KeySchema": [{
"AttributeName": "Artist",
"KeyType": "HASH"
}],
"BillingMode": "PAY_PER_REQUEST",
"StreamSpecification": {
"StreamViewType": "NEW_AND_OLD_IMAGES"
},
"Replicas": [
{
"Region": "us-east-1",
"ResourcePolicy": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/John"
]
},
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "*"
}]
}
},
"ReplicaStreamSpecification": {
"ResourcePolicy": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/John"
},
"Effect": "Allow",
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:DescribeStream"
],
"Resource": "*"
}]
}
}
}
}
]
}
}
}
}
```
------
# Attach a policy to an DynamoDB existing table
You can attach a resource-based policy to an existing table or modify an existing policy by using the DynamoDB console, [PutResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutResourcePolicy.html) API, the AWS CLI, AWS SDK, or an [CloudFormation template](rbac-create-table.md#rbac-create-table-cfn).
## AWS CLI example to attach a new policy
The following IAM policy example uses the `put-resource-policy` AWS CLI command to attach a resource-based policy to an existing table. This example allows the user *John* to perform the [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html), [PutItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutItem.html), [UpdateItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html), and [UpdateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) API actions on an existing table named *MusicCollection*.
Remember to replace the *italicized* text with your resource-specific information.
```
aws dynamodb put-resource-policy \
--resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection \
--policy \
"{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Principal\": {
\"AWS\": \"arn:aws:iam::111122223333:user/John\"
},
\"Action\": [
\"dynamodb:GetItem\",
\"dynamodb:PutItem\",
\"dynamodb:UpdateItem\",
\"dynamodb:UpdateTable\"
],
\"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\"
}
]
}"
```
## AWS CLI example to conditionally update an existing policy
To conditionally update an existing resource-based policy of a table, you can use the optional `expected-revision-id` parameter. The following example will only update the policy if it exists in DynamoDB and its current revision ID matches the provided `expected-revision-id` parameter.
```
aws dynamodb put-resource-policy \
--resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection \
--expected-revision-id 1709841168699 \
--policy \
"{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Principal\": {
\"AWS\": \"arn:aws:iam::111122223333:user/John\"
},
\"Action\": [
\"dynamodb:GetItem\",
\"dynamodb:UpdateItem\",
\"dynamodb:UpdateTable\"
],
\"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\"
}
]
}"
```
## AWS Management Console
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. From the dashboard, choose an existing table.
1. Navigate to the **Permissions** tab, and choose **Create table policy**.
1. In the resource-based policy editor, add the policy you would like to attach and choose **Create policy**.
The following IAM policy example allows the user *John* to perform the [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html), [PutItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutItem.html), [UpdateItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html), and [UpdateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) API actions on an existing table named *MusicCollection*.
Remember to replace the *italicized* text with your resource-specific information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/username"
},
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection"
}
]
}
```
------
## AWS SDK for Java 2.x
The following IAM policy example uses the `putResourcePolicy` method to attach a resource-based policy to an existing table. This policy allows a user to perform the [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html) API action on an existing table.
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
import software.amazon.awssdk.services.dynamodb.model.DynamoDbException;
import software.amazon.awssdk.services.dynamodb.model.PutResourcePolicyRequest;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* [Get started with the AWS SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html)
*/
public class PutResourcePolicy {
public static void main(String[] args) {
final String usage = """
Usage:
Where:
tableArn - The Amazon DynamoDB table ARN to attach the policy to. For example, arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection.
allowedAWSPrincipal - Allowed AWS principal ARN that the example policy will give access to. For example, arn:aws:iam::123456789012:user/John.
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String tableArn = args[0];
String allowedAWSPrincipal = args[1];
System.out.println("Attaching a resource-based policy to the Amazon DynamoDB table with ARN " +
tableArn);
Region region = Region.US_WEST_2;
DynamoDbClient ddb = DynamoDbClient.builder()
.region(region)
.build();
String result = putResourcePolicy(ddb, tableArn, allowedAWSPrincipal);
System.out.println("Revision ID for the attached policy is " + result);
ddb.close();
}
public static String putResourcePolicy(DynamoDbClient ddb, String tableArn, String allowedAWSPrincipal) {
String policy = generatePolicy(tableArn, allowedAWSPrincipal);
PutResourcePolicyRequest request = PutResourcePolicyRequest.builder()
.policy(policy)
.resourceArn(tableArn)
.build();
try {
return ddb.putResourcePolicy(request).revisionId();
} catch (DynamoDbException e) {
System.err.println(e.getMessage());
System.exit(1);
}
return "";
}
private static String generatePolicy(String tableArn, String allowedAWSPrincipal) {
return "{\n" +
" \"Version\": \"2012-10-17\",\n" +,
" \"Statement\": [\n" +
" {\n" +
" \"Effect\": \"Allow\",\n" +
" \"Principal\": {\"AWS\":\"" + allowedAWSPrincipal + "\"},\n" +
" \"Action\": [\n" +
" \"dynamodb:GetItem\"\n" +
" ],\n" +
" \"Resource\": \"" + tableArn + "\"\n" +
" }\n" +
" ]\n" +
"}";
}
}
```
# Attach a resource-based policy to a DynamoDB stream
You can attach a resource-based policy to an existing table's stream or modify an existing policy by using the DynamoDB console, [PutResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutResourcePolicy.html) API, the AWS CLI, AWS SDK, or an [CloudFormation template](rbac-create-table.md#rbac-create-table-cfn).
**Note**
You can't attach a policy to a stream while creating it using the [CreateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateTable.html) or [UpdateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) APIs. However, you can modify or delete a policy after a table is deleted. You can also modify or delete the policy of a disabled stream.
## AWS CLI
The following IAM policy example uses the `put-resource-policy` AWS CLI command to attach a resource-based policy to the stream of a table named *MusicCollection*. This example allows the user *John* to perform the [GetRecords](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetRecords.html), [GetShardIterator](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetShardIterator.html), and [DescribeStream](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_DescribeStream.html) API actions on the stream.
Remember to replace the *italicized* text with your resource-specific information.
```
aws dynamodb put-resource-policy \
--resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection/stream/2024-02-12T18:57:26.492 \
--policy \
"{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Principal\": {
\"AWS\": \"arn:aws:iam::111122223333:user/John\"
},
\"Action\": [
\"dynamodb:GetRecords\",
\"dynamodb:GetShardIterator\",
\"dynamodb:DescribeStream\"
],
\"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection/stream/2024-02-12T18:57:26.492\"
}
]
}"
```
## AWS Management Console
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. On the DynamoDB console dashboard, choose **Tables** and then select an existing table.
Make sure the table you select has streams turned on. For information about turning on streams for a table, see [Enabling a stream](Streams.md#Streams.Enabling).
1. Choose the **Permissions** tab.
1. In **Resource-based policy for active stream**, choose **Create stream policy**.
1. In the **Resource-based policy** editor, add a policy to define the access permissions for the stream. In this policy, you specify who has access to the stream and the actions they are allowed to perform on the stream. To add a policy, do one of the following:
+ Type or paste a JSON policy document. For details about the IAM policy language, see [Creating policies using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Tip**
To see examples of resource-based policies in the Amazon DynamoDB Developer Guide, choose **Policy examples**.
+ Choose **Add new statement** to add a new statement and enter the information in the provided fields. Repeat this step for as many statements as you would like to add.
**Important**
Make sure that you resolve any security warnings, errors, or suggestions before you save your policy.
1. (Optional) Choose **Preview external access** in the lower-right corner to preview how your new policy affects public and cross-account access to your resource. Before you save your policy, you can check whether it introduces new IAM Access Analyzer findings or resolves existing findings. If you don’t see an active analyzer, choose **Go to Access Analyzer** to [create an account analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in IAM Access Analyzer. For more information, see [Preview access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-access-preview.html).
1. Choose **Create policy**.
The following IAM policy example attaches a resource-based policy to the stream of a table named *MusicCollection*. This example allows the user *John* to perform the [GetRecords](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetRecords.html), [GetShardIterator](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetShardIterator.html), and [DescribeStream](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_DescribeStream.html) API actions on the stream.
Remember to replace the *italicized* text with your resource-specific information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/username"
},
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:DescribeStream"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection/stream/2024-02-12T18:57:26.492"
]
}
]
}
```
------
# Remove a resource-based policy from a DynamoDB table
You can delete a resource-based policy from an existing table by using the DynamoDB console, [DeleteResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DeleteResourcePolicy.html) API, the AWS CLI, AWS SDK, or an CloudFormation template.
## AWS CLI
The following example uses the `delete-resource-policy` AWS CLI command to remove a resource-based policy from a table named *MusicCollection*.
Remember to replace the *italicized* text with your resource-specific information.
```
aws dynamodb delete-resource-policy \
--resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection
```
## AWS Management Console
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
1. On the DynamoDB console dashboard, choose **Tables** and then select an existing table.
1. Choose **Permissions**.
1. From the **Manage policy** dropdown, choose **Delete policy**.
1. In the **Delete resource-based policy for table** dialog box, type **confirm** to confirm the delete action.
1. Choose **Delete**.
# Cross-account access with resource-based policies in DynamoDB
Using a resource-based policy, you can provide cross-account access to resources available in different AWS accounts. All cross-account access allowed by the resource-based policies will be reported through IAM Access Analyzer external access findings if you have an analyzer in the same AWS Region as the resource. IAM Access Analyzer runs policy checks to validate your policy against IAM [policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) and [best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). These checks generate findings and provide actionable recommendations to help you author policies that are functional and conform to security best practices. You can view the active findings from IAM Access Analyzer in the **Permissions** tab of the [DynamoDB console](https://console.aws.amazon.com/dynamodb/).
For information about validating policies by using IAM Access Analyzer, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. To view a list of the warnings, errors, and suggestions that are returned by IAM Access Analyzer, see [IAM Access Analyzer policy check reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html).
To grant [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html) permission to a user A in account A for accessing a table B in account B, perform the following steps:
1. Attach a resource-based policy to table B that grants permission to user A for performing the `GetItem` action.
1. Attach an identity-based policy to user A that grants it permission to perform the `GetItem` action on table B.
Using the **Preview external access** option available in [DynamoDB console](https://console.aws.amazon.com/dynamodb/), you can preview how your new policy affects public and cross-account access to your resource. Before you save your policy, you can check whether it introduces new IAM Access Analyzer findings or resolves existing findings. If you don’t see an active analyzer, choose **Go to Access Analyzer** to [create an account analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in IAM Access Analyzer. For more information, see [Preview access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-access-preview.html).
The table name parameter in the DynamoDB data plane and control plane APIs accept complete Amazon Resource Name (ARN) of the table to support cross-account operations. If you only provide the table name parameter instead of a complete ARN, the API operation will be performed on the table in the account to which the requestor belongs. For an example of a policy that uses cross-account access, see [Resource-based policy for cross-account access](rbac-examples.md#rbac-examples-cross-account).
The resource owner’s account will be charged even when a principal from another account is reading from or writing to the DynamoDB table in the owner’s account. If the table has provisioned throughput, the sum of all the requests from the owner accounts and the requestors in other accounts will determine if the request will be throttled (if autoscaling is disabled) or scaled up/down if autoscaling is enabled.
The requests will be logged in the CloudTrail logs of both the owner and the requestor accounts so that each of the two accounts can track which account accessed what data.
## Share access with cross-account AWS Lambda functions
**Lambda functions in account A**
1. Go to the [IAM console](https://console.aws.amazon.com/iam/) to create an IAM role that will be used as the [ Lambda execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html) for your AWS Lambda function in account A. Add the managed IAM policy `AWSLambdaDynamoDBExecutionRole` which has the required DynamoDB Streams and Lambda invocation permissions. This policy also grants access to all potential DynamoDB Streams resources you may have access to in account A.
1. In the [ Lambda console](https://console.aws.amazon.com/lambda/), create an AWS Lambda function to process records in a DynamoDB stream and during the setup for the execution role, choose the role you created in the previous step.
1. Provide the Lambda function execution role to the DynamoDB Streams' owner of account B to configure the resource-based policy for cross-account read access.
1. Finish setting up the Lambda function.
**DynamoDB Stream in Account B**
1. Get the cross-account Lambda execution role from account A that will invoke the Lambda function.
1. On the Amazon DynamoDB console in account B, choose the table for Lambda cross-account trigger. Under the **Exports and streams** tab, locate your DynamoDB stream ARN. Ensure that DynamoDB Stream status is On and note the full stream ARN as you will need it for the resource policy.
1. Under the **Permissions** tab, click the **create stream policy** button to start the visual policy editor. Click the **Add new statement** button or edit the policy if one already exists.
1. Create a policy that specifies the Lambda execution role in account A as the principal, and grant the required DynamoDB Streams actions. Make sure to include the actions `dynamodb:DescribeStream`, `dynamodb:GetRecords`, and `dynamodb:GetShardIterator`. For more information about example resource policies for DynamoDB Streams, see [ DynamoDB resource-based policy examples](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html).
**Note**
The cross-account access of [control plane APIs](HowItWorks.API.md#HowItWorks.API.ControlPlane) has a lower transactions per second (TPS) limit of 500 requests.
# Blocking public access with resource-based policies in DynamoDB
[Block Public Access (BPA)](#rbac-bpa-rbp) is a feature that identifies and prevents the attaching of resource-based policies that grant public access to your DynamoDB tables, indexes, or streams across your [Amazon Web Services (AWS)](https://aws.amazon.com/) accounts. With BPA, you can prevent public access to your DynamoDB resources. BPA performs checks during the creation or modification of a resource-based policy and helps improve your security posture with DynamoDB.
BPA uses [automated reasoning](https://aws.amazon.com/what-is/automated-reasoning/) to analyze the access granted by your resource-based policy and alerts you if such permissions are found at the time of administering a resource-based policy. The analysis verifies access across all resource-based policy statements, actions, and the set of condition keys used in your policies.
**Important**
BPA helps protect your resources by preventing public access from being granted through the resource-based policies that are directly attached to your DynamoDB resources, such as tables, indexes, and streams. In addition to using BPA, carefully inspect the following policies to confirm that they do not grant public access:
Identity-based policies attached to associated AWS principals (for example, IAM roles)
Resource-based policies attached to associated AWS resources (for example, AWS Key Management Service (KMS) keys)
You must ensure that the [principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) doesn't include a `*` entry or that one of the specified condition keys restrict access from principals to the resource. If the resource-based policy grants public access to your table, indexes, or stream across AWS accounts, DynamoDB will block you from creating or modifying the policy until the specification within the policy is corrected and deemed non-public.
You can make a policy non-public by specifying one or more principals inside the `Principal` block. The following resource-based policy example blocks public access by specifying two principals.
```
{
"Effect": "Allow",
"Principal": {
"AWS": [
"123456789012",
"111122223333"
]
},
"Action": "dynamodb:*",
"Resource": "*"
}
```
Policies that restrict access by specifying certain condition keys are also not considered public. Along with evaluation of the principal specified in the resource-based policy, the following [trusted condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) are used to complete the evaluation of a resource-based policy for non-public access:
+ `aws:PrincipalAccount`
+ `aws:PrincipalArn`
+ `aws:PrincipalOrgID`
+ `aws:PrincipalOrgPaths`
+ `aws:SourceAccount`
+ `aws:SourceArn`
+ `aws:SourceVpc`
+ `aws:SourceVpce`
+ `aws:UserId`
+ `aws:PrincipalServiceName`
+ `aws:PrincipalServiceNamesList`
+ `aws:PrincipalIsAWSService`
+ `aws:Ec2InstanceSourceVpc`
+ `aws:SourceOrgID`
+ `aws:SourceOrgPaths`
Additionally, for a resource-based policy to be non-public, the values for Amazon Resource Name (ARN) and string keys must not contain wildcards or variables. If your resource-based policy uses the `aws:PrincipalIsAWSService` key, you must make sure that you've set the key value to true.
The following policy limits access to the user `John` in the specified account. The condition makes the `Principal` constrained and not be considered as public.
```
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:user/John"
}
}
}
```
The following example of a non-public resource-based policy constrains `sourceVPC` using the `StringEquals` operator.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection",
"Condition": {
"StringEquals": {
"aws:SourceVpc": [
"vpc-91237329"
]
}
}
}
]
}
```
------
# DynamoDB API operations supported by resource-based policies
This topic lists the API operations that are supported by resource-based policies. However, for cross-account access, you can only use a certain set of DynamoDB APIs through resource-based policies. You can't attach resource-based policies to resource types, such as backups and imports. The IAM actions, which correspond with the APIs operating on these resource types, are excluded from the supported IAM actions in resource-based policies. Because table administrators configure internal table settings within the same account, APIs, such as [UpdateTimeToLive](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTimeToLive.html) and [DisableKinesisStreamingDestination](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DisableKinesisStreamingDestination.html), don't support cross-account access through resource-based policies.
The DynamoDB data plane and control plane APIs that support cross-account access also support table name overloading, which lets you specify the table ARN instead of the table name. You can specify table ARN in the `TableName` parameter of these APIs. However, not all of these APIs support cross-account access.
**Topics**
+ [Data plane API operations](#rbac-data-plane-actions)
+ [PartiQL API operations](#rbac-partiql-actions)
+ [Control plane API operations](#rbac-control-plane-actions)
+ [Version 2019.11.21 (Current) global tables API operations](#rbac-current-global-table-actions)
+ [Version 2017.11.29 (Legacy) global tables API operations](#rbac-legacy-global-table-actions)
+ [Tags API operations](#rbac-tags-actions)
+ [Backup and Restore API operations](#rbac-backup-restore-actions)
+ [Continuous Backup/Restore (PITR) API operations](#rbac-continuous-backup-restore-actions)
+ [Contributor Insights API operations](#rbac-contributor-insights-actions)
+ [Export API operations](#rbac-export-actions)
+ [Import API operations](#rbac-import-actions)
+ [Amazon Kinesis Data Streams API operations](#rbac-kinesis-actions)
+ [Resource-based policy API operations](#rbac-rbp-actions)
+ [Time-to-Live API operations](#rbac-ttl-actions)
+ [Other API operations](#rbac-other-actions)
+ [DynamoDB Streams API operations](#rbac-ds-actions)
## Data plane API operations
The following table lists the API-level support provided by [data plane](HowItWorks.API.md#HowItWorks.API.DataPlane) API operations for resource-based policies and cross-account access.
| Data Plane - Tables/indexes APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DeleteItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DeleteItem.html) | Yes | Yes |
| [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html) | Yes | Yes |
| [PutItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutItem.html) | Yes | Yes |
| [Query](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Query.html) | Yes | Yes |
| [Scan](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Scan.html) | Yes | Yes |
| [UpdateItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html) | Yes | Yes |
| [TransactGetItems](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_TransactGetItems.html) | Yes | Yes |
| [TransactWriteItems](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_TransactWriteItems.html) | Yes | Yes |
| [BatchGetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_BatchGetItem.html) | Yes | Yes |
| [BatchWriteItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_BatchWriteItem.html) | Yes | Yes |
## PartiQL API operations
The following table lists the API-level support provided by [PartiQL](HowItWorks.API.md#HowItWorks.API.DataPlane.partiql) API operations for resource-based policies and cross-account access.
| PartiQL APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [BatchExecuteStatement](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_BatchExecuteStatement.html) | Yes | No |
| [ExecuteStatement](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExecuteStatement.html) | Yes | No |
| [ExecuteTransaction](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExecuteTransaction.html) | Yes | No |
## Control plane API operations
The following table lists the API-level support provided by [control plane](HowItWorks.API.md#HowItWorks.API.ControlPlane) API operations for resource-based policies and cross-account access.
| Control Plane - Tables APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [CreateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateTable.html) | No | No |
| [DeleteTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DeleteTable.html) | Yes | Yes |
| [DescribeTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeTable.html) | Yes | Yes |
| [UpdateTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) | Yes | Yes |
## Version 2019.11.21 (Current) global tables API operations
The following table lists the API-level support provided by [Version 2019.11.21 (Current) global tables](GlobalTables.md) API operations for resource-based policies and cross-account access.
| Version 2019.11.21 (Current) global tables APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeTableReplicaAutoScaling](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeTableReplicaAutoScaling.html) | Yes | No |
| [UpdateTableReplicaAutoScaling](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTableReplicaAutoScaling.html) | Yes | No |
## Version 2017.11.29 (Legacy) global tables API operations
The following table lists the API-level support provided by [Version 2017.11.29 (Legacy) global tables](globaltables.V1.md) API operations for resource-based policies and cross-account access.
| Version 2017.11.29 (Legacy) global tables APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [CreateGlobalTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateGlobalTable.html) | No | No |
| [DescribeGlobalTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeGlobalTable.html) | No | No |
| [DescribeGlobalTableSettings](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeGlobalTableSettings.html) | No | No |
| [ListGlobalTables](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListGlobalTables.html) | No | No |
| [UpdateGlobalTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateGlobalTable.html) | No | No |
| [UpdateGlobalTableSettings](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateGlobalTableSettings.html) | No | No |
## Tags API operations
The following table lists the API-level support provided by API operations related to [tags](Tagging.Operations.md) for resource-based policies and cross-account access.
| Tags APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [ListTagsOfResource](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListTagsOfResource.html) | Yes | Yes |
| [TagResource](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_TagResource.html) | Yes | Yes |
| [UntagResource](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UntagResource.html) | Yes | Yes |
## Backup and Restore API operations
The following table lists the API-level support provided by API operations related to [backup and restore](Backup-and-Restore.md) for resource-based policies and cross-account access.
| Backup and Restore APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [CreateBackup](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_CreateBackup.html) | Yes | No |
| [DescribeBackup](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeBackup.html) | No | No |
| [DeleteBackup](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DeleteBackup.html) | No | No |
| [RestoreTableFromBackup](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_RestoreTableFromBackup.html) | No | No |
## Continuous Backup/Restore (PITR) API operations
The following table lists the API-level support provided by API operations related to [Continuous Backup/Restore (PITR)](Point-in-time-recovery.md) for resource-based policies and cross-account access.
| Continuous Backup/Restore (PITR) APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeContinuousBackups](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeContinuousBackups.html) | Yes | No |
| [RestoreTableToPointInTime](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_RestoreTableToPointInTime.html) | Yes | No |
| [UpdateContinuousBackups](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateContinuousBackups.html) | Yes | No |
## Contributor Insights API operations
The following table lists the API-level support provided by API operations related to [Continuous Backup/Restore (PITR)](Point-in-time-recovery.md) for resource-based policies and cross-account access.
| Contributor Insights APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeContributorInsights](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeContributorInsights.html) | Yes | No |
| [ListContributorInsights](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListContributorInsights.html) | No | No |
| [UpdateContributorInsights](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateContributorInsights.html) | Yes | No |
## Export API operations
The following table lists the API-level support provided by Export API operations for resource-based policies and cross-account access.
| Export APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeExport](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeExport.html) | No | No |
| [ExportTableToPointInTime](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExportTableToPointInTime.html) | Yes | No |
| [ListExports](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListExports.html) | No | No |
## Import API operations
The following table lists the API-level support provided by Import API operations for resource-based policies and cross-account access.
| Import APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeImport](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeImport.html) | No | No |
| [ImportTable](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ImportTable.html) | No | No |
| [ListImports](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListImports.html) | No | No |
## Amazon Kinesis Data Streams API operations
The following table lists the API-level support provided by Kinesis Data Streams API operations for resource-based policies and cross-account access.
| Kinesis APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeKinesisStreamingDestination](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeKinesisStreamingDestination.html) | Yes | No |
| [DisableKinesisStreamingDestination](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DisableKinesisStreamingDestination.html) | Yes | No |
| [EnableKinesisStreamingDestination](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_EnableKinesisStreamingDestination.html) | Yes | No |
| [UpdateKinesisStreamingDestination](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateKinesisStreamingDestination.html) | Yes | No |
## Resource-based policy API operations
The following table lists the API-level support provided by resource-based policy API operations for resource-based policies and cross-account access.
| Resource-based policy APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [GetResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetResourcePolicy.html) | Yes | No |
| [PutResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutResourcePolicy.html) | Yes | No |
| [DeleteResourcePolicy](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DeleteResourcePolicy.html) | Yes | No |
## Time-to-Live API operations
The following table lists the API-level support provided by [time to live](TTL.md) (TTL) API operations for resource-based policies and cross-account access.
| TTL APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeTimeToLive](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeTimeToLive.html) | Yes | No |
| [UpdateTimeToLive](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTimeToLive.html) | Yes | No |
## Other API operations
The following table lists the API-level support provided by other miscellaneous API operations for resource-based policies and cross-account access.
| Other APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeLimits](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeLimits.html) | No | No |
| [DescribeEndpoints](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeEndpoints.html) | No | No |
| [ListBackups](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListBackups.html) | No | No |
| [ListTables](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ListTables.html) | No | No |
## DynamoDB Streams API operations
The following table lists the API-level support of DynamoDB Streams APIs for resource-based policies and cross-account access.
| DynamoDB Streams APIs | Resource-based policy support | Cross-account support |
| --- | --- | --- |
| [DescribeStream](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_DescribeStream.html) | Yes | Yes |
| [GetRecords](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetRecords.html) | Yes | Yes |
| [GetShardIterator](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetShardIterator.html) | Yes | Yes |
| [ListStreams](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_ListStreams.html) | No | No |
# Authorization with IAM identity-based policies and DynamoDB resource-based policies
**Identity-based policies** are attached to an identity, such as IAM users, groups of users, and roles. These are IAM policy documents that control what actions an identity can perform, on which resources, and under what conditions. Identity-based policies can be [managed](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) or [inline](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) policies.
**Resource-based policies** are IAM policy documents that you attach to a resource, such as a DynamoDB table. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. For example, the resource-based policy for a DynamoDB table also includes the index associated with the table. Resource-based policies are inline policies. There are no managed resource-based policies.
For more information about these policies, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *IAM User Guide*.
If the IAM principal is from the same account as the resource owner, a resource-based policy is sufficient to specify access permissions to the resource. You can still choose to have an IAM identity-based policy along with a resource-based policy. For cross-account access, you must explicitly allow access in both the identity and resource policies as specified in [Cross-account access with resource-based policies in DynamoDB](rbac-cross-account-access.md). When you use both types of policies, a policy is evaluated as described in [Determining whether a request is allowed or denied within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow).
**Important**
If an identity-based policy grants unconditional access to a DynamoDB table (for example, `dynamodb:GetItem` with no conditions), a resource-based policy that allows access with conditions on `dynamodb:Attributes` won't restrict that access. The identity-based policy's unconditional allow takes precedence, and the resource-based policy's conditions are not applied as restrictions. To restrict access to specific attributes, use an explicit `Deny` statement instead of relying solely on conditional `Allow` statements in the resource-based policy.
# DynamoDB resource-based policy examples
When you specify an ARN in the `Resource` field of a resource-based policy, the policy takes effect only if the specified ARN matches the ARN of the DynamoDB resource to which it is attached.
**Note**
Remember to replace the *italicized* text with your resource-specific information.
## Resource-based policy for a table
The following resource-based policy attached to a DynamoDB table named *MusicCollection*, gives the IAM users *John* and *Jane* permission to perform [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html) and [BatchGetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_BatchGetItem.html) actions on the *MusicCollection* resource.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "1111",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/username",
"arn:aws:iam::111122223333:user/Jane"
]
},
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection"
]
}
]
}
```
------
## Resource-based policy for a stream
The following resource-based policy attached to a DynamoDB stream named `2024-02-12T18:57:26.492` gives the IAM users *John* and *Jane* permission to perform [GetRecords](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetRecords.html), [GetShardIterator](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_GetShardIterator.html), and [DescribeStream](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_streams_DescribeStream.html) API actions on the `2024-02-12T18:57:26.492` resource.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "1111",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/username",
"arn:aws:iam::111122223333:user/Jane"
]
},
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection/stream/2024-02-12T18:57:26.492"
]
}
]
}
```
------
## Resource-based policy for access to perform all actions on specified resources
To allow a user to perform all actions on a table and all associated indexes with a table, you can use a wildcard (\$1) to represent the actions and the resources associated with the table. Using a wild card character for the resources, will allow the user access to the DynamoDB table and all its associated indexes, including the ones that haven’t yet been created. For example, the following policy will give the user *John* permission to perform any actions on the *MusicCollection* table and all of its indexes, including any indexes that will be created in the future.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "1111",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/role-name"
},
"Action": "dynamodb:*",
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection",
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection/index/index-name"
]
}
]
}
```
------
## Resource-based policy for cross-account access
You can specify permissions for a cross-account IAM identity to access DynamoDB resources. For example, you might need a user from a trusted account to get access to read the contents of your table, with the condition that they access only specific items and specific attributes in those items. The following policy allows access to user *John* from a trusted AWS account ID *111111111111* to access data from a table in account *123456789012* by using the [GetItem](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_GetItem.html) API. The policy ensures that the user can access only items with a primary key *Jane* and that the user can only retrieve the attributes `Artist` and `SongTitle`, but no other attributes.
**Important**
If you do not specify the `SPECIFIC_ATTRIBUTES` condition, you'll see all attributes for the items returned.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CrossAccountTablePolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/John"
},
"Action": "dynamodb:GetItem",
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "Jane",
"dynamodb:Attributes": [
"Artist",
"SongTitle"
]
},
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]
}
```
------
In addition to the preceding resource-based policy, the identity-based policy attached to the user *John* also needs to allow the `GetItem` API action for the cross-account access to work. The following is an example of an identity-based policy that you must attach to the user *John*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CrossAccountIdentityBasedPolicy",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "Jane",
"dynamodb:Attributes": [
"Artist",
"SongTitle"
]
},
"StringEquals": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
]
}
```
------
The user John can make a `GetItem` request by specifying the table ARN in the `table-name` parameter for accessing the table *MusicCollection* in the account *123456789012*.
```
aws dynamodb get-item \
--table-name arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection \
--key '{"Artist": {"S": "Jane"}' \
--projection-expression 'Artist, SongTitle' \
--return-consumed-capacity TOTAL
```
## Resource-based policy with IP address conditions
You can apply a condition to restrict source IP addresses, virtual private clouds (VPCs), and VPC endpoint (VPCE). You can specify permissions based on the source addresses of the originating request. For example, you might want to allow a user to access DynamoDB resources only if they are being accessed from a specific IP source, such as a corporate VPN endpoint. Specify these IP addresses in the `Condition` statement.
The following example allows the user *John* access to any DynamoDB resource when the source IPs are `54.240.143.0/24` and `2001:DB8:1234:5678::/64`.
------
#### [ JSON ]
****
```
{
"Id":"PolicyId2",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowIPmix",
"Effect":"Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/username"
},
"Action":"dynamodb:*",
"Resource":"*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"54.240.143.0/24",
"2001:DB8:1234:5678::/64"
]
}
}
}
]
}
```
------
You can also deny all access to DynamoDB resources except when the source is a specific VPC endpoint, for example *vpce-1a2b3c4d*.
**Important**
When you use DAX with DynamoDB tables that have IP-based resource policies in IPv6-only environments, you must configure additional access rules. If your resource policy restricts access to the IPv4 address space `0.0.0.0/0` on tables, you must allow access for the IAM role associated with your DAX cluster. Add an `ArnNotEquals` condition to your policy to ensure DAX maintains access to your DynamoDB tables. For more information see, [DAX and IPv6](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.DAX_and_IPV6.html).
------
#### [ JSON ]
****
```
{
"Id":"PolicyId",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AccessToSpecificVPCEOnly",
"Principal": "*",
"Action": "dynamodb:*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals":{
"aws:sourceVpce":"vpce-1a2b3c4d"
}
}
}
]
}
```
------
## Resource-based policy using an IAM role
You can also specify an IAM service role in the resource-based policy. IAM entities that assume this role are bounded by the permissible actions specified for the role and to the specific set of resources within the resource-based policy.
The following example allows an IAM entity to perform all DynamoDB actions on the *MusicCollection* and *MusicCollection* DynamoDB resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "1111",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:role/role-name" },
"Action": "dynamodb:*",
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection",
"arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection/*"
]
}
]
}
```
------
# DynamoDB resource-based policy considerations
When you define resource-based policies for your DynamoDB resources, the following considerations apply:
**General considerations**
+ The maximum size supported for a resource-based policy document is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit.
+ Subsequent updates to a policy for a given resource are blocked for 15 seconds after a successful update of the policy for the same resource.
+ Currently, you can only attach a resource-based policy to existing streams. You can't attach a policy to a stream while creating it.
**Global table considerations**
+ Resource-based policies aren't supported for [Global table version 2017.11.29 (Legacy)](globaltables_HowItWorks.md) replicas.
+ Within a resource-based policy, if the action for a DynamoDB service-linked role (SLR) to replicate data for a global table is denied, adding or deleting a replica will fail with an error.
+ The [AWS::DynamoDB::GlobalTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-globaltable.html) resource doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
**Cross-account considerations**
+ Cross-account access using resource-based policies doesn't support encrypted tables with AWS managed keys because you can't grant cross-account access to the AWS managed KMS policy.
**CloudFormation considerations**
+ Resource-based policies don't support [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html#). If you update a resource-based policy outside of the AWS CloudFormation stack template, you'll need to update the CloudFormation stack with the changes.
+ Resource-based policies don't support out of band changes. If you add, update, or delete a policy outside of the CloudFormation template, the change won't be overwritten if there are no changes to the policy within the template.
For example, say that your template contains a resource-based policy which you later update outside of the template. If you don't make any changes to the policy in the template, the updated policy in DynamoDB won’t be synced with the policy in the template.
Conversely, say that your template doesn’t contain a resource-based policy, but you add a policy outside of the template. This policy won’t be removed from DynamoDB as long as you don’t add it to the template. When you add a policy to the template and update the stack, the existing policy in DynamoDB will be updated to match the one defined in the template.
# DynamoDB resource-based policy best practices
This topic describes the best practices for defining access permissions for your DynamoDB resources and the actions allowed on these resources.
## Simplify access control to DynamoDB resources
If the AWS Identity and Access Management principals that need access to a DynamoDB resource are part of the same AWS account as the resource owner, an IAM identity-based policy is not required for each principal. A resource-based policy that is attached to the given resources will suffice. This type of configuration simplifies access control.
## Protect your DynamoDB resources with resource-based policies
For all DynamoDB tables and streams, create resource-based policies to enforce access control for these resources. Resource-based policies enable you to centralize permissions at the resource level, simplify access control to DynamoDB tables, indexes, and streams, and reduce administration overhead. If no resource-based policy is specified for a table or a stream, access to the table or stream will be implicitly denied, unless identity-based policies associated with the IAM principals allow access.
## Apply least-privilege permissions
When you set permissions with resource-based policies for DynamoDB resources, grant only the permissions required to perform an action. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. You might start with broad permissions while you explore the permissions that are required for your workload or use case. As your use case matures, you can work to reduce the permissions that you grant to work toward least privilege.
## Analyze cross-account access activity for generating least-privilege policies
IAM Access Analyzer reports cross-account access to external entities specified in resource-based policies, and provides visibility to help you refine permissions and conform to least privilege. For more information about policy generation, see [IAM Access Analyzer policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html).
## Use IAM Access Analyzer to generate least-privilege policies
To grant only the permissions required to perform a task, you can generate policies based on your access activity that is logged in AWS CloudTrail. IAM Access Analyzer analyzes the services and actions that your policies use.