You can use AWS Identity and Access Management (IAM) to restrict Amazon DynamoDB backup and restore actions for some resources. The CreateBackup
and RestoreTableFromBackup
APIs operate on a per-table basis.
For more information about using IAM policies in DynamoDB, see Using Identity-Based Policies (IAM Policies) for Amazon DynamoDB.
The following are examples of IAM policies that you can use to configure specific backup and restore functionality in DynamoDB.
The following IAM policy grants permissions to allow the CreateBackup
and RestoreTableFromBackup
DynamoDB actions on all tables:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:RestoreTableFromBackup",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": "*"
}
]
}
Important
DynamoDB write permissions are necessary for restore functionality.
The following IAM policy grants permissions for the CreateBackup
action and denies the RestoreTableFromBackup
action:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:CreateBackup"],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["dynamodb:RestoreTableFromBackup"],
"Resource": "*"
}
]
}
The following IAM policy grants permissions for the ListBackups
action and denies the CreateBackup
and RestoreTableFromBackup
actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListBackups"],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:RestoreTableFromBackup"
],
"Resource": "*"
}
]
}
The following IAM policy grants permissions for the ListBackups
action and denies the DeleteBackup
action:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListBackups"],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["dynamodb:DeleteBackup"],
"Resource": "*"
}
]
}
Example 5: Allow RestoreTableFromBackup and DescribeBackup for All Resources and Deny DeleteBackup for a Specific Backup
The following IAM policy grants permissions for the RestoreTableFromBackup
and DescribeBackup
actions and denies the DeleteBackup
action for a specific backup resource:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeBackup",
"dynamodb:RestoreTableFromBackup",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"dynamodb:DeleteBackup"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection/backup/01489173575360-b308cd7d"
}
]
}
Important
DynamoDB write permissions are necessary for restore functionality.
The following IAM policy grants permissions for the CreateBackup
action on the Movies
table only:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:CreateBackup"],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/Movies"
]
}
]
}
The following IAM policy grants permissions for the ListBackups
action:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListBackups"],
"Resource": "*"
}
]
}
Important
You cannot grant permissions for the ListBackups
action on a specific table.