DEV Community

Kirk Kirkconnell for AWS

Posted on

AWS IAM managed policies for Amazon DynamoDB

Security camera photo by Miłosz Klinowski on Unsplash

For application access, you should not use the managed AWS Identity and Access Management (IAM) policies for Amazon DynamoDB. These IAM policies are designed for use with the AWS Web Console and therefore have more permissions to more services than most applications need access to. Instead, please create your own IAM policies for DynamoDB.

In order to follow least privilege security conventions, it is best practice to create your own custom IAM policy for DynamoDB access by an application. If this is something you have never done before, don't be intimidated. I got ya. To get you started, here are a few templates I created to use to enable full access to only Amazon DynamoDB table resources.

Once you play with these templates, you should ultimately create a new policy that narrows access down to just the operations the app needs to do on the resources it needs to do it. If all you are doing is SELECT and INSERT with the PartiQL API for DynamoDB on one table, then the only actions you should allow are these two:

  • "dynamodb:PartiQLInsert"
  • "dynamodb:PartiQLSelect"

In summary, use security best practices when designing access to Amazon DynamoDB for your apps, create your own customer managed IAM policies and do not use the AWS managed IAM policies.

Discussion (0)