I'm trying to hide a sensitive DynamoDB attribute from being visible in the AWS Console for certain IAM users viewing a specific DynamoDB table.
I tried this approach (and many variations of it):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:<region>:<account-id>:table/my-table",
"Condition": {
"ForAnyValue:StringEquals": { // Also tried ForAllValues
"dynamodb:Attributes": [
"sensitive_attribute"
]
}
}
}
]
}
But I'm still able to see the sensitive attribute in the console when signed in as the restricted user.
Is it possible to hide a specific attribute in the AWS Console for DynamoDB tables? If so, what's the correct IAM policy approach?
Is it possible to hide a specific attribute in the AWS Console for DynamoDB tables?
No, it's not possible. The IAM policy you have in your question would restrict users from making specific queries against that attribute, but it would not prevent that attribute from being returned in the query response.
If you want users to see data in your DynamoDB table, but restrict what attributes they have access to, you can't give them access to the AWS console. You would have to build a custom UI for that.