AWS amazondynamodb medium security documentation change
Summary
Added warning about global tables replication limitations and minor phrasing updates
Security assessment
Reiterates the global tables replication warning from V2gt_IAM.md and updates policy guidance. This helps prevent service disruptions caused by improper IAM configurations, addressing operational security risks.
Diff
diff --git a/amazondynamodb/latest/developerguide/specifying-conditions.md b/amazondynamodb/latest/developerguide/specifying-conditions.md index 76015fc63..134d9e107 100644 --- a//amazondynamodb/latest/developerguide/specifying-conditions.md +++ b//amazondynamodb/latest/developerguide/specifying-conditions.md @@ -152,0 +153,4 @@ Many IAM permissions policies allow users to access only those items in a table +###### Important + +Fine-grained access control isn't supported for restricting global tables replication. Applying policy conditions for fine-grained access control to DynamoDB [service principals or service-linked roles](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/V2gt_IAM.html) used for global tables replication may interrupt replication within a global table. + @@ -157 +161 @@ Each of the examples in the following section sets the `Effect` clause to `Allow -In some cases, it is possible to rewrite these policies so that they are deny-based (that is, setting the `Effect` clause to `Deny` and inverting all of the logic in the policy). However, we recommend that you avoid using deny-based policies with DynamoDB because they are difficult to write correctly, compared to allow-based policies. In addition, future changes to the DynamoDB API (or changes to existing API inputs) can render a deny-based policy ineffective. +In some cases, it is possible to rewrite these policies so that they are deny-based (that is, setting the `Effect` clause to `Deny` and inverting all of the logic in the policy). However, we recommend that you avoid using deny-based policies with DynamoDB because they're difficult to write correctly, compared to allow-based policies. In addition, future changes to the DynamoDB API (or changes to existing API inputs) can render a deny-based policy ineffective.