AWS amazondynamodb medium security documentation change
Summary
Modified IAM policy example: removed high-privilege actions (e.g., DeleteTable, CreateGlobalTableWitness), added data plane actions (e.g., Query, PutItem), and introduced a new statement allowing ServiceLinkedRole creation for replication.
Security assessment
Removal of DeleteTable and other destructive actions reduces privilege escalation risks. The addition of CreateServiceLinkedRole documentation highlights a security-relevant permission requirement for replication. These changes directly impact access control policies.
Diff
diff --git a/amazondynamodb/latest/developerguide/globaltables-security.md b/amazondynamodb/latest/developerguide/globaltables-security.md index 5f536a08b..e4bd514c0 100644 --- a//amazondynamodb/latest/developerguide/globaltables-security.md +++ b//amazondynamodb/latest/developerguide/globaltables-security.md @@ -122 +122 @@ JSON - "Sid": "AllowManagingUsersGlobalTable", + "Sid": "AllowCreatingUsersGlobalTable", @@ -127,4 +126,0 @@ JSON - "dynamodb:CreateGlobalTableWitness", - "dynamodb:DeleteTable", - "dynamodb:DeleteTableReplica", - "dynamodb:DeleteGlobalTableWitness", @@ -132 +128,7 @@ JSON - "dynamodb:UpdateTimeToLive" + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:UpdateItem", + "dynamodb:PutItem", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:BatchWriteItem" @@ -138,0 +141,10 @@ JSON + }, + { + "Sid": "AllowCreatingSLR", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": [ + "arn:aws:iam::123456789012:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication" + ]