DynamoDB not able to Restore With Deny DeleteItem SCP

Question

Hi there,

We have a service control policy attached for our account with explicit Deny on Dynamodb Delete Item.
We have enabled Point in Time Recovery for the tables as well.
When I was trying to perform Restore on a table, It's throwing error saying 
"User ....... not authorized to perform: dynamodb:DeleteItem on resource .... with an explicit deny in a service control policy"

I would like to know why Restore table action requires DeleteItem action ?
Is this right ?
How do we handle this case without trading off the SCP policy ?

Thanks

Accepted Answer

`DeleteItem` is required as part of the IAM policy but it is never used. Unfortunately this is by design and to restore a table you will need to grant the restore process `DeleteItem` permissions.

My assumption here is that the permissions are required as restore to an existing table has been long talked about and perhaps `DeleteItem` permissions are required for that feature, if/when it becomes available.

DynamoDB not able to Restore With Deny DeleteItem SCP

관련 콘텐츠