amazon-web-servicesamazon-dynamodbamazon-policy

Roles policy to access separate ARN resource issue

I want to add policy that allow access IAM User only to few of the tables.

Follow this document

My policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTables",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
            ]
        }
    ]
}

As result I got "Not Autorized" message

enter image description here

But when I change Resource to "*" - all works.

So why I cant enable full read access only to separate tables?

Solution

  • The solution, thanks to Deepesh S. (from Amazon), listed below

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceBasedActions",
            "Action": [
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                 "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", 
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" 
            ]
        },
        {
            "Sid": "NonResourceBasedActions",
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:ListPipelines",
                "dynamodb:ListTables",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}