DynamoDB Table Access Provisioning
DynamoDB Table Access Provisioning

In this course, we present how to create DynamoDB tables including local and secondary indices.

Learning Objectives

  • Creating DynamoDB tables using the AWS Console
  • Creating local and global secondary indices 

Intended Audience

  • Architects and developers looking to understand how to create DynamoDB Tables using the different modalities provided by AWS
  • Those studying for the AWS Solutions Architect Associate and Developer Associate certifications


  • Meet the requirements for the Cloud Practitioner certification or equivalent experience
  • Understand the fundamentals of DynamoDB as presented in the DynamoDB Basics course
  • It will help if you follow up with the Reading and Writing data in DynamoDB course

DynamoDB table provisioning needs to consider Identity and Access Management to authorize the required access in order to allow database operators to perform their work. This is one of the first benefits of leveraging DynamoDB and that is a consolidated access management controls using identity and access management which is common for the rest of the AWS services and deployments. You can use administrator access for testing and experiments. 

However, for production workloads, it is important that you consider the best practice of applying the principle of least privilege and attribute the required access controls accordingly. A number of AWS-managed policies are available for DynamoDB including; full access, read only access, and Lambda invocation policies. The important detail to keep in mind is that in terms of operations, you want to provision access controls for individual tables or specific actions on set tables and sometimes even access to specific items and attributes exclusively.

The idea is to protect your data at all times and to provide the least amount of access required to perform a specific task. The example shown uses the identity and access management condition element to implement a fine-grain access control policy, allowing access to the music table items to a specific user ID. The condition element in this policy uses condition keys that are specific to DynamoDB policies and permissions. The DynamoDB leading keys condition allows users to access only items that match their user ID. The user ID in this case is identified by a substitution variable of the form ${}. Please note that in this case, we're talking about one of your application users and not an AWS account user. Also, when using the leading keys in a condition statement, you must use therefore all values modifier as shown on the screen. The DynamoDB attributes conditions limits access to the specified attributes.

It represents a list of attribute names in a request or the attributes that can be returned from a request. Finally, adding the StringEqualsIfExists condition ensures that the application always provides a list of specific attributes to use and cannot request all the attributes in a table. The principle at work here is that if any of the condition elements evaluates to false, the entire policy evaluates to false as well and access is denied. Please make sure to examine the AWS documentation for specifying conditions in DynamoDB policies as the possibilities available are extensive. You can use the QR code shown on the screen to get to the documentation quickly.


About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).