By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DynamoDB IAM to scan an index, but not the table

0

Question: Is there a restriction on scanning a DynamoDB index if the caller does not have permission to scan the underlying table? I can query the index without giving permission to the table, why can't I also scan it? If I should be able to scan, what else can I do to check why IAM is not allowing the request?

I have a role that grants access to scan and query an index. I have consulted the documentation for IAM here and see no difference in requirements for Query and Scan operations.

I have created a role with the following minimal IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/prod-table/index/gsi1",
            ],
            "Effect": "Allow"
        }
}

I can use the CLI to query this index and get back items.

aws dynamodb query --table-name prod-table --index-name gsi1 --limit 10 --key-condition-expression "gsi1pk = :val" --expression-attribute-values '{":val": {"S": "entity"}}'

however, attempting a scan fails.

aws dynamodb scan --table-name prod-table --index-name gsi1 --limit 10

stating "An error occurred (AccessDeniedException) when calling the Scan operation: User: xxxx is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-1: 123456789012:table/prod-table because no identity-based policy allows the dynamodb:Scan action"

EDIT: In addition, I am confused as to why I can update the policy to only grant access to the table (not the index), and this will allow me to scan an index, when I have not granted permission to scan an index. You may say "if you have access to the table items, then you implicitly have access to the index", but then why does the documentation state that I can supply an index arn as a resource for the scan action. In addition, I may want to protect my index against a scan because I have limited spare RCU on the index, but I have plenty of spare RCU on the main table.

Topics
Security, Identity, & ComplianceDatabase
Tags
AWS Identity and Access ManagementAmazon DynamoDBIAM Policies
Language
English
Ross W
asked 5 months ago299 views
1 Answer
0

This is because your policy only allows to Query and Scan the index (if you see your Resource policy, it says "arn:aws:dynamodb:us-east-1:123456789012:table/prod-table/index/gsi1").

You should, however, allow permissions to the table ("arn:aws:dynamodb:us-east-1: 123456789012:table/prod-table") as the error itself indicates.

The policy would remain like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/prod-table"
            ],
            "Effect": "Allow"
        }
}
AWS
ronaldtf
answered 5 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 25 days ago
  • Ross W
    5 months ago

    I understand what the error message states, and I understand I can update the identity policy (this is not a resource policy) to add scanning on the table. My question is whether this restriction is documented, given I see no difference in the documentation for Scan and Query.

    Today adding permission on the table is not an option, as I only want to grant access to the GSI.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content