By default AWS managed policies like AmazonDynamoDBFullAccess and AmazonDynamoDBReadOnlyAccess allow corresponding rules to all tables in DynamoDB, while we may want to select specific access permissions and apply to a specific table/tables.
This is where customer managed policies come into play. We can create a customized policy and attach it to a specific user group.
First, login IAM. On the left sidebar, select Policies under Access management, then click on Create policy button.
Click on Choose a service, type DynamoDB and select it in the result list.
Then in the Actions section, check the actions you want to allow on this policy.
You may notice that there is a warning showing up as soon as you check on some action. No worries, let’s go to the Resources section right below it. It tells us to specify table resource ARN for the selected action(s).
Actually this is where we can restrict the table. Click on Add ARN shown in the above figure, supply region and table name and click on add button. Note that you can add as many ARNs (tables) as you want.
If you want, you can even restrict on the IPs that can take the actions in Request condition section.
If everything looks good, click on Review policy button, give your policy a name and click on Create policy button.
Now we can attached this newly created policy to a group.
Select Groups under Access management, click on the group that you want to attach this policy, then click on Attach Policy.
Select Customer Managed in filter dropdown list.
Check the newly created policy and click on Attach Policy button.
BOOM! You’ve successfully created a customized policy that restrict the user to only be able to access from a specific table/tables and applied it to a user group.
