Reputation: 696
Restricting access to DynamoDB using tag key
i'm following Amazon's documentation for 'Controlling Access to AWS Resources Using Resource Tags' to control access to my DynamoDB resource using a tag key on the Dynamo table itself.
The policy's Json i use looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TestAccess",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "X"
}
}
}
]
}
No matter what i do it doesn't seem to allow access using ForAnyValue, tried using StringEquals/StringLike and nothing worked. When i switched to ForAllValues it allowed access to every call no matter the tags (even if X is not present).
I don't know what i am missing, does Dynamo even supports tagging access restrictions? Am i doing something wrong? Thanks
Upvotes: 1
Views: 2051
Answers (1)
Reputation: 661
As noted in the DynamoDB documentation, and per @shuvalov's comment, DynamoDB does not support tag based conditions.
It is explicitly stated in the docs.
Some AWS services also support tag-based conditions; however, DynamoDB does not.
The Service Authorization Reference can be used to view condition keys that are supported by each AWS service.
Upvotes: 3
Related Questions
- Restrict access to DynamoDB from EC2 instance
- Fine-grained access control for AWS DynamoDB using AWS Cognito
- how can I restrict access to my aws dynamodb
- AWS IAM: How to grant access for certain user to certain dynamoDB?
- Deny Access to a DynamoDB table
- Restrict AWS DynamoDB access from particular AWS VPC
- DynamoDB deny access to everyone but administrators and Lambda functions
- Explicit deny for user to runinstances in AWS when not using specific tag KeyValue
- How can I control user access to Amazon DynamoDB data via IAM?
- How can I use IAM policies to gain fine-grained access control for DynamoDB?