Actions, resources, and condition keys for Amazon DynamoDB
Amazon DynamoDB (service prefix: dynamodb
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon DynamoDB
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
BatchGetItem | Grants permission to return the attributes of one or more items from one or more tables | Read | |||
BatchWriteItem | Grants permission to put or delete multiple items in one or more tables | Write | |||
ConditionCheckItem | Grants permission to the ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key | Read | |||
CreateBackup | Grants permission to create a backup for an existing table | Write | |||
CreateGlobalTable | Grants permission to create a global table from an existing table | Write | |||
CreateTable | Grants permission to the CreateTable operation adds a new table to your account | Write | |||
CreateTableReplica [permission only] | Grants permission to add a new replica table | Write | |||
DeleteBackup | Grants permission to delete an existing backup of a table | Write | |||
DeleteItem | Grants permission to deletes a single item in a table by primary key | Write | |||
DeleteResourcePolicy | Grants permission to delete the resource-based policy attached to the resource | Permissions management | |||
DeleteTable | Grants permission to the DeleteTable operation which deletes a table and all of its items | Write | |||
DeleteTableReplica [permission only] | Grants permission to delete a replica table and all of its items | Write | |||
DescribeBackup | Grants permission to describe an existing backup of a table | Read | |||
DescribeContinuousBackups | Grants permission to check the status of the backup restore settings on the specified table | Read | |||
DescribeContributorInsights | Grants permission to describe the contributor insights status and related details for a given table or global secondary index | Read | |||
DescribeEndpoints | Grants permission to return the regional endpoint information | Read | |||
DescribeExport | Grants permission to describe an existing Export of a table | Read | |||
DescribeGlobalTable | Grants permission to return information about the specified global table | Read | |||
DescribeGlobalTableSettings | Grants permission to return settings information about the specified global table | Read | |||
DescribeImport | Grants permission to describe an existing import | Read | |||
DescribeKinesisStreamingDestination | Grants permission to grant permission to describe the status of Kinesis streaming and related details for a given table | Read | |||
DescribeLimits | Grants permission to return the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there | Read | |||
DescribeReservedCapacity [permission only] | Grants permission to describe one or more of the Reserved Capacity purchased | Read | |||
DescribeReservedCapacityOfferings [permission only] | Grants permission to describe Reserved Capacity offerings that are available for purchase | Read | |||
DescribeStream | Grants permission to return information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table | Read | |||
DescribeTable | Grants permission to return information about the table | Read | |||
DescribeTableReplicaAutoScaling | Grants permission to describe the auto scaling settings across all replicas of the global table | Read | |||
DescribeTimeToLive | Grants permission to give a description of the Time to Live (TTL) status on the specified table | Read | |||
DisableKinesisStreamingDestination | Grants permission to grant permission to stop replication from the DynamoDB table to the Kinesis data stream | Write | |||
EnableKinesisStreamingDestination | Grants permission to grant permission to start table data replication to the specified Kinesis data stream at a timestamp chosen during the enable workflow | Write | |||
ExportTableToPointInTime | Grants permission to initiate an Export of a DynamoDB table to S3 | Write | |||
GetAbacStatus [permission only] | Grants permission to view the status of Attribute Based Access Control for the account | Read | |||
GetItem | Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key | Read | |||
GetRecords | Grants permission to retrieve the stream records from a given shard | Read | |||
GetResourcePolicy | Grants permission to view a resource-based policy for a resource | Read | |||
GetShardIterator | Grants permission to return a shard iterator | Read | |||
ImportTable | Grants permission to initiate an import from S3 to a DynamoDB table | Write | |||
ListBackups | Grants permission to list backups associated with the account and endpoint | List | |||
ListContributorInsights | Grants permission to list the ContributorInsightsSummary for all tables and global secondary indexes associated with the current account and endpoint | List | |||
ListExports | Grants permission to list exports associated with the account and endpoint | List | |||
ListGlobalTables | Grants permission to list all global tables that have a replica in the specified region | List | |||
ListImports | Grants permission to list imports associated with the account and endpoint | List | |||
ListStreams | Grants permission to return an array of stream ARNs associated with the current account and endpoint | Read | |||
ListTables | Grants permission to return an array of table names associated with the current account and endpoint | List | |||
ListTagsOfResource | Grants permission to list all tags on an Amazon DynamoDB resource | Read | |||
PartiQLDelete | Grants permission to delete a single item in a table by primary key | Write | |||
PartiQLInsert | Grants permission to create a new item, if an item with same primary key does not exist in the table | Write | |||
PartiQLSelect | Grants permission to read a set of attributes for items from a table or index | Read | |||
PartiQLUpdate | Grants permission to edit an existing item's attributes | Write | |||
PurchaseReservedCapacityOfferings [permission only] | Grants permission to purchases reserved capacity for use with your account | Write | |||
PutItem | Grants permission to create a new item, or replace an old item with a new item | Write | |||
PutResourcePolicy | Grants permission to attach a resource-based policy to the resource | Permissions management | |||
Query | Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index | Read | |||
RestoreTableFromAwsBackup [permission only] | Grants permission to create a new table from recovery point on AWS Backup | Write | |||
RestoreTableFromBackup | Grants permission to create a new table from an existing backup | Write |
dynamodb:BatchWriteItem dynamodb:DeleteItem dynamodb:GetItem dynamodb:PutItem dynamodb:Query dynamodb:Scan dynamodb:UpdateItem |
||
RestoreTableToPointInTime | Grants permission to restore a table to a point in time | Write |
dynamodb:BatchWriteItem dynamodb:DeleteItem dynamodb:GetItem dynamodb:PutItem dynamodb:Query dynamodb:Scan dynamodb:UpdateItem |
||
Scan | Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index | Read | |||
StartAwsBackupJob [permission only] | Grants permission to create a backup on AWS Backup with advanced features enabled | Write | |||
TagResource | Grants permission to associate a set of tags with an Amazon DynamoDB resource | Tagging | |||
UntagResource | Grants permission to remove the association of tags from an Amazon DynamoDB resource | Tagging | |||
UpdateAbacStatus [permission only] | Grants permission to update the status of Attribute Based Access Control for the account | Permissions management | |||
UpdateContinuousBackups | Grants permission to enable or disable continuous backups | Write | |||
UpdateContributorInsights | Grants permission to update the status for contributor insights for a specific table or global secondary index | Write | |||
UpdateGlobalTable | Grants permission to add or remove replicas in the specified global table | Write | |||
UpdateGlobalTableSettings | Grants permission to update settings of the specified global table | Write | |||
UpdateGlobalTableVersion [permission only] | Grants permission to update version of the specified global table | Write | |||
UpdateItem | Grants permission to edit an existing item's attributes, or adds a new item to the table if it does not already exist | Write | |||
UpdateKinesisStreamingDestination | Grants permission to update data replication configurations for the specified Kinesis data stream | Write | |||
UpdateTable | Grants permission to modify the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table | Write | |||
UpdateTableReplicaAutoScaling | Grants permission to update auto scaling settings on your replica table | Write | |||
UpdateTimeToLive | Grants permission to enable or disable TTL for the specified table | Write |
Resource types defined by Amazon DynamoDB
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
index |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/index/${IndexName}
|
|
stream |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/stream/${StreamLabel}
|
|
table |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}
|
|
backup |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/backup/${BackupName}
|
|
export |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/export/${ExportName}
|
|
global-table |
arn:${Partition}:dynamodb::${Account}:global-table/${GlobalTableName}
|
|
import |
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/import/${ImportName}
|
Condition keys for Amazon DynamoDB
Amazon DynamoDB defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Note
For information about how to use context keys to refine DynamoDB access using an IAM policy, see Using IAM Policy Conditions for Fine-Grained Access Control in the Amazon DynamoDB Developer Guide.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
dynamodb:Attributes | Filters access by attribute (field or column) names of the table | ArrayOfString |
dynamodb:EnclosingOperation | Filters access by blocking Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa | String |
dynamodb:FullTableScan | Filters access by blocking full table scan | Bool |
dynamodb:LeadingKeys | Filters access by the partition key of the table | ArrayOfString |
dynamodb:ReturnConsumedCapacity | Filters access by the ReturnConsumedCapacity parameter of a request. Contains either "TOTAL" or "NONE" | String |
dynamodb:ReturnValues | Filters access by the ReturnValues parameter of request. Contains one of the following: "ALL_OLD", "UPDATED_OLD","ALL_NEW","UPDATED_NEW", or "NONE" | String |
dynamodb:Select | Filters access by the Select parameter of a Query or Scan request | String |