policy to limit dynamodb UpdateItem with a condition expression



I have a dynamodb table with the following attributes:

  1. mykey: partition key
  2. myversion: a mutable number
  3. mymap: a mutable map
  4. several other attributes

I have an application that should call the following dynamodb UpdateItem request:

  1. a conditional update expression that verifies the existing value of myversion attribute: myversion = 123
  2. an update expression that modifies mymap attribute: SET mymap = {...}

I am trying to write a fine-grained iam policy that allows an application to perform this UpdateItem with minimal permissions:

  1. the partition key must be equal to a predefined value, e.g. "part123"
  2. only "mymap" attribute must be modifiable by the application
  3. all attributes can be read by the application

Tried this policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                    "dynamodb:Attributes": [

It does work if the UpdateItem is called without a conditional expression on myversion. But once I add the conditional expression it fails with the following error:

AccessDeniedException: User: [...] is not authorized to perform: dynamodb:UpdateItem on resource: [arn:aws:dynamodb:...] because no identity-based policy allows the dynamodb:UpdateItem action

Adding the conditional expression attribute myversion under "dynamodb:Attributes" section in the policy makes it work but I'm afraid this also allows updating myvesion itself, which is unwanted.

How can I define a policy that allows dynamodb UpdateItem to modify only a specific field while referencing other fields in the conditional expression?


asked 10 months ago587 views
1 Answer

A simple solution to your question is to make myversion the sort key of the table. That way it cannot be updated, regardless of how your IAM policy is configured as DynamoDB prevents updates to primary key values.

profile pictureAWS
answered 10 months ago
  • Not possible. myversion is mutable by design, but by a different application. The application being discussed here should be able to only read it. Technically myversion is used for preventing race conditions on write.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions