How can I control user access to Amazon DynamoDB data via IAM?

Question

Does AWS Identity and Access Management (IAM) provide a way so that a user can only edit or delete the items in an Amazon DynamoDB table he added before?

Answer 1

I'm fairly sure that the answer to your question is yes. You'll probably have to use AWS Cognito with an IAM role policy behind it.

You might have to do some fiddling with this, but if you add a policy like the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2: NUMBER:table/myapplication_product"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

Firstly, this will restrict access to the dynamodb resource to just the methods named, but the "Condition" block will additionally restrict access to identities that match the hashkey that you are trying to alter - obviously, this doesn't affect the Scan (only the GetItem and UpdateItem). Now exactly how you match up those keys, is the fiddling that I referred to, but the solution is in there somewhere. Hope this helps.