DynamoDB Table ARN — NoSQL Database Resources
Parse a DynamoDB table ARN to understand table identification and how indexes and streams have their own ARN extensions. Covers global table ARN patterns.
Detailed Explanation
DynamoDB Table and Index ARNs
DynamoDB table ARNs use the slash-separated format with a table/ prefix. Indexes and streams extend the base table ARN with additional path segments.
Example ARN
arn:aws:dynamodb:us-east-1:123456789012:table/UserSessions
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | dynamodb |
| Region | us-east-1 |
| Account ID | 123456789012 |
| Resource Type | table |
| Resource ID | UserSessions |
Index ARNs
Global Secondary Indexes (GSI) and Local Secondary Indexes (LSI) have ARNs that extend the table ARN:
arn:aws:dynamodb:us-east-1:123456789012:table/UserSessions/index/email-index
This extended format means the parser sees table as the resource type and UserSessions/index/email-index as the full resource ID.
Stream ARNs
DynamoDB Streams have their own ARN format:
arn:aws:dynamodb:us-east-1:123456789012:table/UserSessions/stream/2024-01-15T00:00:00.000
Fine-Grained IAM Permissions
DynamoDB IAM policies often need to distinguish between table-level operations (Query, Scan) and index-level operations. A policy granting dynamodb:Query on the table ARN does not automatically grant query access to GSIs — you must include the index ARN as a separate resource.
Global Tables
DynamoDB global tables replicate across regions, but each regional replica has its own ARN with the local region. There is no single "global" ARN.
Use Case
Writing least-privilege IAM policies for Lambda functions or ECS tasks that need to read from DynamoDB tables and their GSIs. Specifying separate ARNs for table and index resources is required for correct fine-grained access control.