AWS managed policies for Amazon DynamoDB
DynamoDB uses AWS managed policies to define a set of permissions the service needs to perform specific actions. DynamoDB maintains and updates its AWS managed policies. You can't change the permissions in AWS managed policies. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
DynamoDB may occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. An AWS managed policy is most likely to be updated when a new feature is launched or when new operations become available. DynamoDB will not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
AWS managed policy: DynamoDBReplicationServiceRolePolicy
You can’t attach the DynamoDBReplicationServiceRolePolicy
policy to your IAM entities.
This policy is attached to a service-linked
role that allows DynamoDB to perform actions on your behalf. For more information, see
Using IAM with global tables.
This policy grants permissions that allow the service-linked role to perform data replication between global table replicas. It also grants administrative permissions to manage global table replicas on your behalf.
Permissions details
This policy grants permissions to do the following:
dynamodb
– Perform data replication and manage table replicas.application-autoscaling
– Retrieve and manage table Auto Scaling settingsaccount
– Retrieve region status for evaluating replica accessibility.iam
– To create the service-linked role for application Auto Scaling in the event that the service-linked role does not already exist.
The definition of this managed policy can be found here.
AWS managed policy: AmazonDynamoDBReadOnlyAccess
You can attach the AmazonDynamoDBReadOnlyAccess
policy to your IAM identities.
This policy grants read-only access to Amazon DynamoDB.
Permissions details
This policy includes the following permissions:
-
Amazon DynamoDB
– Provides read-only access to Amazon DynamoDB. -
Amazon DynamoDB Accelerator (DAX)
– Provides read-only access to Amazon DynamoDB Accelerator (DAX). -
Application Auto Scaling
– Allows principals to view configurations from Application Auto Scaling. This is required so that users can view automatic scaling policies that are attached to a table. -
CloudWatch
– Allows principals to view metric data and alarms configured in CloudWatch. This is required so users can view the billable table size and CloudWatch alarms that have been configured for a table. -
AWS Data Pipeline
– Allows principals to view AWS Data Pipeline and associated objects. -
Amazon EC2
– Allows principals to view Amazon EC2 VPCs, subnets, and security groups. -
IAM
– Allows principals to view IAM roles. -
AWS KMS
– Allows principals to view keys configured in AWS KMS. This is required so users can view AWS KMS keys that they create and manage in their account. -
Amazon SNS
– Allows principals to list Amazon SNS topics and subscriptions by topic. -
AWS Resource Groups
– Allows principals to view resource groups and their queries. -
AWS Resource Groups Tagging
– Allows principals to list all the tagged or previously tagged resources in a Region. -
Kinesis
– Allows principals to view Kinesis data streams descriptions. -
Amazon CloudWatch Contributor Insights
– Allow principals to view time series data collected by Contributor Insights rules.
To review the policy in JSON
format, see AmazonDynamoDBReadOnlyAccess.
DynamoDB updates to AWS managed policies
This table shows updates to the AWS access management policies for DynamoDB.
Change | Description | Date Changed |
---|---|---|
AmazonDynamoDBReadOnlyAccess update to an existing policy |
AmazonDynamoDBReadOnlyAccess added the permissions: dynamodb:GetAbacStatus and dynamodb:UpdateAbacStatus . These permissions allow you to view the ABAC status and enable ABAC for your AWS account in the current Region. |
November 18, 2024 |
AmazonDynamoDBReadOnlyAccess update to an existing policy |
AmazonDynamoDBReadOnlyAccess added the permission dynamodb:GetResourcePolicy . This permission provides access to read resource-based policies attached to DynamoDB resources. |
March 20, 2024 |
DynamoDBReplicationServiceRolePolicy update to an existing policy |
DynamoDBReplicationServiceRolePolicy added the permission dynamodb:GetResourcePolicy .
This permission allows the service-linked role to read resource-based policies attached to DynamoDB resources. |
December 15, 2023 |
DynamoDBReplicationServiceRolePolicy update to an existing policy |
DynamoDBReplicationServiceRolePolicy added the permission account:ListRegions .
This permission allows the service-linked role to evaluate replica accessibility |
May 10, 2023 |
DynamoDBReplicationServiceRolePolicy added to list of managed policies |
Added information about the managed policy DynamoDBReplicationServiceRolePolicy ,
which is used
by the DynamoDB global tables service-linked role. |
May 10, 2023 |
DynamoDB global tables started tracking changes | DynamoDB global tables started tracking changes for its AWS managed policies. | May 10, 2023 |