AWS DynamoDB Access Control

2017.04.19 - Note: VPC Endpoints has been Released for DynamoDB

At the moment of writing this post, AWS currently does not offer VPC Endpoints for DynamoDB.

Having said that, you can look into fine graining your IAM policy to limit only what actions is needed, for specific tables and also for who it is needed.

Use Case Example:

In the following example, I will guide you on how to limit access to DynamoDB by only let the Source IP of 1.2.3.4 access DynamoDB tables with the naming convention of "-prod", and only let them have READ access:

IAM Policy:

Create a IAM Policy, attach it to a user/group etc:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1468232344000",
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:ListTables"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "1.2.3.4/32"
                }
            },
            "Resource": [
                "arn:aws:dynamodb:eu-west-1:123456789012:table/*-prod"
            ]
        }
    ]
} 

``` <p>



**Resources:**

1. Here is the [current list](http://docs.aws.amazon.com/general/latest/gr/rande.html#ddb_region) of DynamoDB public endpoints.

2. More Information on [Fine Grained Access](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html)