How do I troubleshoot the error AccessDeniedException when I access an Amazon DynamoDB table?

7 minute read
0

I want to access an Amazon DynamoDB table, but I get an AccessDeniedException error.

Short description

You might get this error for the following reasons:

  • The AWS Identity and Access Management (IAM) role that you used to access the DynamoDB table doesn't have the required permissions.
  • Access to the DynamoDB table is restricted at an organization level.
  • The policy associated with the Amazon Virtual Private Cloud (Amazon VPC) endpoint for DynamoDB restricts the operation.
  • You activated multi-factor authentication (MFA) and you didn't use the MFA to sign in to access the table.
  • You use a customer managed key or an AWS managed key to protect your DynamoDB tables.
  • You can't access Amazon CloudWatch Contributor Insights for DynamoDB.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Resolution

The IAM role doesn't have the required permissions

When you create a DynamoDB table, grant the required permissions to the IAM role that you use to access the table. You can attach the policies to IAM users, groups, or roles to grant the required permissions. For more information, see Using identity-based policies with Amazon DynamoDB.
To troubleshoot IAM permission API call failures, use an AWS CLI script:

( echo "Time,Identity ARN,Event ID,Service,Action,Error,Message";>   aws cloudtrail lookup-events --start-time "2022-08-04T13:23:00Z" --end-time "2022-08-04T13:27:00Z" --query "Events[*].CloudTrailEvent" --output text \
>     | jq -r ". | select(.userIdentity.arn == \"your-ARN\" and .eventType == \"AwsApiCall\" and .errorCode != null
>     and (.errorCode | ascii_downcase | (contains(\"accessdenied\") or contains(\"unauthorized\"))))
>     | [.eventTime, .userIdentity.arn, .eventID, .eventSource, .eventName, .errorCode, .errorMessage] | @csv"
> ) | column -t -s'",'

Replace your-ARN with the IAM ARN for your resources.

Note: The AWS CLI script requires the jq command line JSON processor. For the tutorial and download instructions, see JSON output format.

For distributions that use the yum package, run the following command:

$ sudo yum install jq

The output of this command looks similar to the following:

Time                 Identity ARN                           Event ID                             Service                Action     Error Message 
2022-08-04T13:24:14Z arn:aws:iam::111122223333:user/article 42f420fe-ef06-43be-98a6-d5a0a90d7b4c dynamodb.amazonaws.com ListTables AccessDenied User: arn:aws:iam::111122223333:user/article is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:111122223333:table/* with an explicit deny in an identity-based policy
2022-08-04T13:51:22Z arn:aws:iam::111122223333:user/article b174e4e1-94a7-403e-a15f-1234aec796a6 dynamodb.amazonaws.com ListTables AccessDenied User: arn:aws:iam::111122223333:user/article is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:111122223333:table/* because no identity-based policy allows the dynamodb:ListTables action

In the preceding output, you can't make the ListTables action because you have attached a permission to the user 111122223333 that denies the operation. The second message means that no identity-based policy allows the dynamodb:ListTables action.

The following are best practices to make sure that your IAM role has the required permissions to access the DynamoDB table:

  • Don't include the IAM role in any DENY statement of the trust policy.
  • Include the IAM role in the ALLOW statement of the trust policy.
  • Make sure that all IAM conditions specified in the ALLOW statement are supported by the sts:AssumeRole API action.
  • If you use the AWS CLI to access the DynamoDB table, use the correct access key ID and secret access key.

For more information, see How can I get data to assist in troubleshooting IAM permission access denied or unauthorized errors?

Access to the DynamoDB table is restricted at organization level

If you get the following error when you try to access the DynamoDB table, then a service control policy (SCP) denied your access:

"User: arn:aws:iam::11111222333:user/Admin is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:11111222333:table with an explicit deny in a service control policy"

To troubleshoot this issue, update the policy that's defined at the organization level.

Note: If you deny DynamoDB operations on an organization level, then all IAM roles present in that organization or AWS Account are denied. Even if the role or account has the required permissions, the role or account is denied.

The Amazon VPC endpoint policy restricts the operation

To improve the privacy and security of data transfer between the DynamoDB table and your application, you can use an Amazon VPC. If the VPC endpoint has an IAM resource policy that restricts the IAM users access to the table, then you get the following error:

"An error occurred (AccessDeniedException) when calling the ListTables operation: User: arn:aws:iam::111222333444:user/Admin is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:11111222333:table/* with an explicit deny in a VPC endpoint policy"

If you receive this error, then there's an explicit DENY statement in the VPC endpoint policy that denies the ListTables operation for the user Admin.

To view the VPC endpoint policy, run the AWS CLI command describe-vpc-endpoints. Or, complete the following steps to view the policy in the console:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints.
  3. Select the VPC endpoint.
  4. Choose the Policy tab to view the endpoint policy.

To resolve this problem, update the VPC endpoint policy.

You didn't use the MFA to sign in to access the table

Suppose that you configured MFA in your account with the following identity-based policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllExceptListedIfNoMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
      ],
      "Resource": "",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

In this case, all actions except those that are required to use MFA to authenticate are denied. If the IAM user isn't signed in with MFA, then all actions that are not listed in the above policy are denied, including DynamoDB actions.

To resolve this problem, sign in with MFA.

Your DynamoDB table uses the customer managed key or AWS managed key

DynamoDB tables that use a customer managed key or an AWS Key Management Service (AWS KMS) key must have the correct permissions. The KMS key policies must give DynamoDB permission to use the key on your behalf. The IAM user that's accessing the table must have the following minimum permissions on the AWS KMS key:

  • DynamoDB uses the AWS KMS key to generate and encrypt a unique data key for the table, called the table key. To generate and encrypt this key, you must have the kms:GenerateDataKey permission.
  • To access encrypted keys, the AWS KMS key must have kms:Encrypt and kms:Decrypt permissions.
  • The table key is used to secure the data encryption keys that are used to encrypt the table data. If the customer managed key is modified for a table, then DynamoDB produces a new table key. Then, DynamoDB uses the new table key to re-encrypt the data encryption keys. To do this operation, you must have the kms:ReEncrypt permission.
  • DynamoDB uses the kms:DescribeKey operation to determine if the customer managed key you selected exists within the account and Region. If the key is randomly removed, the DescribeKey call returns an error.
  • DynamoDB uses grants to set permissions on a customer managed key. These grant permissions are used when DynamoDB performs background system maintenance and continuous data protection tasks. Grant permissions are also used to generate table keys. Therefore, be sure that you have the kms:CreateGrant permission.

For more information, see How Amazon DynamoDB uses AWS KMS.

You can't access CloudWatch Contributor Insights for DynamoDB

If you get the error when you try to access CloudWatch Contributor Insights for DynamoDB, then you might not have the correct IAM permissions. To access CloudWatch Contributor Insights, you must have the following permissions:

For more information, see CloudWatch contributor insights for DynamoDB: How it works

Note: DynamoDB doesn't support Attribute Based Access Control (ABAC). Also, tag-based conditions can't be used to control access on tables. Instead, use IAM policy conditions for fine-grained access control (FGAC).

Related information

IAM: Allows and denies access to multiple services programmatically and in the console

Using resource-based policies for DynamoDB

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
No comments

Relevant content