DynamoDB API operations supported by resource-based policies - Amazon DynamoDB
Data plane API operationsPartiQL API operationsControl plane API operationsVersion 2019.11.21 (Current) global tables API operationsVersion 2017.11.29 (Legacy) global tables API operationsTags API operationsBackup and Restore API operationsContinuous Backup/Restore (PITR) API operationsContributor Insights API operationsExport API operationsImport API operationsAmazon Kinesis Data Streams API operationsResource-based policy API operationsTime-to-Live API operationsOther API operationsDynamoDB Streams API operations

DynamoDB API operations supported by resource-based policies

This topic lists the API operations that are supported by resource-based policies. However, for cross-account access, you can only use a certain set of DynamoDB APIs through resource-based policies. You can't attach resource-based policies to resource types, such as backups and imports. The IAM actions, which correspond with the APIs operating on these resource types, are excluded from the supported IAM actions in resource-based policies. Because table administrators configure internal table settings within the same account, APIs, such as UpdateTimeToLive and DisableKinesisStreamingDestination, don't support cross-account access through resource-based policies.

The DynamoDB data plane and control plane APIs that support cross-account access also support table name overloading, which lets you specify the table ARN instead of the table name. You can specify table ARN in the TableName parameter of these APIs. However, not all of these APIs support cross-account access.

Data plane API operations

The following table lists the API-level support provided by data plane API operations for resource-based policies and cross-account access.

Data Plane - Tables/indexes APIs Resource-based policy support Cross-account support

DeleteItem

Yes Yes

GetItem

Yes Yes

PutItem

Yes Yes

Query

Yes Yes

Scan

Yes Yes

UpdateItem

Yes Yes

TransactGetItems

Yes Yes

TransactWriteItems

Yes Yes

BatchGetItem

Yes Yes

BatchWriteItem

Yes Yes

PartiQL API operations

The following table lists the API-level support provided by PartiQL API operations for resource-based policies and cross-account access.

PartiQL APIs Resource-based policy support Cross-account support

BatchExecuteStatement

Yes No

ExecuteStatement

Yes No

ExecuteTransaction

Yes No

Control plane API operations

The following table lists the API-level support provided by control plane API operations for resource-based policies and cross-account access.

Control Plane - Tables APIs Resource-based policy support Cross-account support

CreateTable

No No

DeleteTable

Yes Yes

DescribeTable

Yes Yes

UpdateTable

Yes Yes

Version 2019.11.21 (Current) global tables API operations

The following table lists the API-level support provided by Version 2019.11.21 (Current) global tables API operations for resource-based policies and cross-account access.

Version 2019.11.21 (Current) global tables APIs Resource-based policy support Cross-account support

DescribeTableReplicaAutoScaling

Yes No

UpdateTableReplicaAutoScaling

Yes No

Version 2017.11.29 (Legacy) global tables API operations

The following table lists the API-level support provided by Version 2017.11.29 (Legacy) global tables API operations for resource-based policies and cross-account access.

Version 2017.11.29 (Legacy) global tables APIs Resource-based policy support Cross-account support

CreateGlobalTable

No No

DescribeGlobalTable

No No

DescribeGlobalTableSettings

No No

ListGlobalTables

No No

UpdateGlobalTable

No No

UpdateGlobalTableSettings

No No

Tags API operations

The following table lists the API-level support provided by API operations related to tags for resource-based policies and cross-account access.

Tags APIs Resource-based policy support Cross-account support

ListTagsOfResource

Yes Yes

TagResource

Yes Yes

UntagResource

Yes Yes

Backup and Restore API operations

The following table lists the API-level support provided by API operations related to backup and restore for resource-based policies and cross-account access.

Backup and Restore APIs Resource-based policy support Cross-account support

CreateBackup

Yes No

DescribeBackup

No No

DeleteBackup

No No

RestoreTableFromBackup

No No

Continuous Backup/Restore (PITR) API operations

The following table lists the API-level support provided by API operations related to Continuous Backup/Restore (PITR) for resource-based policies and cross-account access.

Continuous Backup/Restore (PITR) APIs Resource-based policy support Cross-account support

DescribeContinuousBackups

Yes No

RestoreTableToPointInTime

Yes No

UpdateContinuousBackups

Yes No

Contributor Insights API operations

The following table lists the API-level support provided by API operations related to Continuous Backup/Restore (PITR) for resource-based policies and cross-account access.

Contributor Insights APIs Resource-based policy support Cross-account support

DescribeContributorInsights

Yes No

ListContributorInsights

No No

UpdateContributorInsights

Yes No

Export API operations

The following table lists the API-level support provided by Export API operations for resource-based policies and cross-account access.

Export APIs Resource-based policy support Cross-account support

DescribeExport

No No

ExportTableToPointInTime

Yes No

ListExports

No No

Import API operations

The following table lists the API-level support provided by Import API operations for resource-based policies and cross-account access.

Import APIs Resource-based policy support Cross-account support

DescribeImport

No No

ImportTable

No No

ListImports

No No

Amazon Kinesis Data Streams API operations

The following table lists the API-level support provided by Kinesis Data Streams API operations for resource-based policies and cross-account access.

Kinesis APIs Resource-based policy support Cross-account support

DescribeKinesisStreamingDestination

Yes No

DisableKinesisStreamingDestination

Yes No

EnableKinesisStreamingDestination

Yes No

UpdateKinesisStreamingDestination

Yes No

Resource-based policy API operations

The following table lists the API-level support provided by resource-based policy API operations for resource-based policies and cross-account access.

Resource-based policy APIs Resource-based policy support Cross-account support

GetResourcePolicy

Yes No

PutResourcePolicy

Yes No

DeleteResourcePolicy

Yes No

Time-to-Live API operations

The following table lists the API-level support provided by time to live (TTL) API operations for resource-based policies and cross-account access.

TTL APIs Resource-based policy support Cross-account support

DescribeTimeToLive

Yes No

UpdateTimeToLive

Yes No

Other API operations

The following table lists the API-level support provided by other miscellaneous API operations for resource-based policies and cross-account access.

Other APIs Resource-based policy support Cross-account support

DescribeLimits

No No

DescribeEndpoints

No No

ListBackups

No No

ListTables

No No

DynamoDB Streams API operations

The following table lists the API-level support of DynamoDB Streams APIs for resource-based policies and cross-account access.

DynamoDB Streams APIs Resource-based policy support Cross-account support

DescribeStream

Yes Yes

GetRecords

Yes Yes

GetShardIterator

Yes Yes

ListStreams

No No