Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

policy to limit dynamodb UpdateItem with a condition expression

1

Hi,

I have a dynamodb table with the following attributes:

  1. mykey: partition key
  2. myversion: a mutable number
  3. mymap: a mutable map
  4. several other attributes

I have an application that should call the following dynamodb UpdateItem request:

  1. a conditional update expression that verifies the existing value of myversion attribute: myversion = 123
  2. an update expression that modifies mymap attribute: SET mymap = {...}

I am trying to write a fine-grained iam policy that allows an application to perform this UpdateItem with minimal permissions:

  1. the partition key must be equal to a predefined value, e.g. "part123"
  2. only "mymap" attribute must be modifiable by the application
  3. all attributes can be read by the application

Tried this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:<ACCOUNT>:table/<TABLE>"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "part123"
                    ],
                    "dynamodb:Attributes": [
                        "mykey",
                        "mymap"
                    ]
                }
            }
        }
    ]
}

It does work if the UpdateItem is called without a conditional expression on myversion. But once I add the conditional expression it fails with the following error:

AccessDeniedException: User: [...] is not authorized to perform: dynamodb:UpdateItem on resource: [arn:aws:dynamodb:...] because no identity-based policy allows the dynamodb:UpdateItem action

Adding the conditional expression attribute myversion under "dynamodb:Attributes" section in the policy makes it work but I'm afraid this also allows updating myvesion itself, which is unwanted.

How can I define a policy that allows dynamodb UpdateItem to modify only a specific field while referencing other fields in the conditional expression?

thanks

  • ReiGun
    10 months ago

    hi there. I can't get my UpdateItem to work on a single attribute. Did you ever manage to get yours working? If so, can you show me your policy please? here's mine: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUpdateTechnicianIDsOnly", "Effect": "Allow", "Action": "dynamodb:UpdateItem", "Resource": "arn:aws:dynamodb:::table/[table-name]", "Condition": { "ForAllValues:StringEqualsIfExists": { "dynamodb:Attributes": [ "technician_ids" ] } } } ] } this gets rejected when I try to just set the attribute/column I'm allowing AccessDeniedException: User: arn:aws:iam:::user/ is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-1:*:table/[table-name] because no identity-based policy allows the dynamodb:UpdateItem action

Topics
Security, Identity, & ComplianceDatabase
Tags
IAM PoliciesAmazon DynamoDB
Language
English
asked 2 years ago1.1K views
1 Answer
1

A simple solution to your question is to make myversion the sort key of the table. That way it cannot be updated, regardless of how your IAM policy is configured as DynamoDB prevents updates to primary key values.

AWS
EXPERT
answered 2 years ago
  • rePost-User-0003509
    2 years ago

    Not possible. myversion is mutable by design, but by a different application. The application being discussed here should be able to only read it. Technically myversion is used for preventing race conditions on write.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content