DynamoDB - Conditions

When granting permissions, DynamoDB allows you to specify conditions for them using a detailed IAM policy with condition keys. This supports settings such as access to certain elements and attributes.
Note . DynamoDB does not support tags.
Detailed control
Some conditions allow the specification of elements and attributes, such as granting read-only access to certain elements based on the user account. Implement this level of control with conditional IAM policies that manage security credentials. Then simply apply the policy to the desired users, groups, and roles. Web identity federation, which will be discussed later, also provides a way to control user access through Amazon, Facebook, and Google accounts.
The IAM policy condition element implements access control. You just add it to the policy. An example of its use is to deny or allow access to elements and attributes of a table. The condition element can also use condition keys to restrict permissions.
You can view the following two examples of condition keys:
-
dynamicodb: LeadingKeys - Denies access to the element to users without an ID that matches the value of the section key.
-
dynamodb:Attributes - Prevents users from accessing or working with attributes that are not in the list.
dynamicodb: LeadingKeys - Denies access to the element to users without an ID that matches the value of the section key.
dynamodb:Attributes - Prevents users from accessing or working with attributes that are not in the list.
When evaluating an IAM policy, it results in a true or false value. If any part evaluates to false, the entire policy evaluates to false, resulting in access denied. Be sure to include all the required information in the conditional keys to ensure that users have the appropriate access.
Predefined condition keys
AWS offers a set of predefined condition keys that apply to all services. They support a wide range of uses and fine details in user and access validation.
Note. Case sensitivity in condition keys.
You can view the selection of the following service keys −
dynamicodb: LeadingKey - represents the first key attribute of the table; section key. Use the ForAllValues ​​modifier in conditions.
dynamodb:Select - Represents a scan request/request. Select an option. It must be ALL_ATTRIBUTES, ALL_PROJECTED_ATTRIBUTES, SPECIFIC_ATTRIBUTES, or COUNT.
dynamodb:Attributes - Represents the list of attribute names in the request, or the attributes returned from the request. Its values ​​and their functions resemble API action parameters, for example BatchGetItem uses AttributesToGet.
dynamodb:ReturnValues ​​- Represents the ReturnValues ​​query parameter and can use the following values: ALL_OLD, UPDATED_OLD, ALL_NEW, UPDATED_NEW, and NONE.
dynamicodb:ReturnConsumedCapacity - Represents the ReturnConsumedCapacity query parameter and can use the following values: TOTAL and NONE.