For application access, please do not use the AWS provided managed IAM policies for Amazon DynamoDB, both "AmazonDynamoDBReadOnlyAccess" and "AmazonDynamoDBFullAccess". I know it is tempting, but please don't do it. These built-in AWS managed IAM policies are designed for use in the AWS Console and therefore have more permissions than most applications should have access to.
In order to follow least privilege security conventions, it is best practice to create your own custom IAM policy for DynamoDB access by an application. If this is something you have never done before, don't be intimidated. I got ya. To get you started, here are a few templates I created to use to enable full access to only Amazon DynamoDB table resources. Ultimately you should narrow access in the policies you crate down to just the operations the app needs to do on DynamoDB.
Top comments (0)