IAM Policy for DynamoDB CRUD Operations
Create an IAM policy for DynamoDB read, write, update, and delete operations on a specific table. Includes Query, Scan, BatchGetItem, and BatchWriteItem.
Detailed Explanation
DynamoDB CRUD Policy
Applications that use DynamoDB as their data store need precise permissions for reading, writing, updating, and deleting items. This policy covers all standard CRUD operations while scoping access to a specific table.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDynamoDBCRUD",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/my-table",
"arn:aws:dynamodb:us-east-1:123456789012:table/my-table/index/*"
]
}
]
}
Index Access
The second resource ARN (table/my-table/index/*) grants access to all Global Secondary Indexes (GSIs) and Local Secondary Indexes (LSIs) on the table. Without this, Query operations against indexes will be denied, which is a common source of AccessDeniedException errors.
Read-Only vs. Full CRUD
For read-only access, remove PutItem, UpdateItem, DeleteItem, and BatchWriteItem. For write-only (event ingestion), keep only PutItem and BatchWriteItem.
PartiQL Support
If your application uses PartiQL (SQL-compatible query language for DynamoDB), add dynamodb:PartiQLSelect, dynamodb:PartiQLInsert, dynamodb:PartiQLUpdate, and dynamodb:PartiQLDelete to the actions list.
Use Case
Backend services, Lambda functions, or microservices that store and retrieve data from DynamoDB tables. Common in serverless architectures and event-driven applications.