AWS amazondynamodb documentation change
Summary
Restructured and expanded documentation about global tables security, including detailed IAM permissions, service-linked roles for replication/auto-scaling, MREC/MRSC differences, and example policies with security considerations
Security assessment
The changes focus on documenting security configurations (IAM roles, KMS encryption) and potential service disruptions from misconfigured policies, but do not indicate remediation of a specific vulnerability. Added guidance about avoiding permission denials to SLRs helps prevent operational issues rather than addressing exploits.
Diff
diff --git a/amazondynamodb/latest/developerguide/globaltables-security.md b/amazondynamodb/latest/developerguide/globaltables-security.md index e4bd514c0..ede70fef6 100644 --- a//amazondynamodb/latest/developerguide/globaltables-security.md +++ b//amazondynamodb/latest/developerguide/globaltables-security.md @@ -5 +5 @@ -How global tables use AWS IAMHow global tables use AWS KMS +Global tables service-linked rolesGlobal tables IAM permissionsGlobal tables AWS KMS encryption @@ -11,3 +11 @@ Global tables replicas are DynamoDB tables, so you use the same methods for cont -## How global tables use AWS IAM - -### Replication service-linked role +This topic covers how to secure DynamoDB global tables using IAM permissions and AWS Key Management Service (AWS KMS) encryption. You learn about the service-linked roles (SLR) that allow cross-Region replication and auto-scaling, the IAM permissions needed to create, update, and delete global tables , and the differences between multi-Region eventual consistency (MREC) and multi-Region strong consistency (MRSC) tables. You also learn about AWS KMS encryption keys to manage cross-Region replication securely. @@ -15 +13 @@ Global tables replicas are DynamoDB tables, so you use the same methods for cont -When you create a global table for the first time, Amazon DynamoDB automatically creates an AWS Identity and Access Management (IAM) service-linked role (SLR). The SLR is named [`AWSServiceRoleForDynamoDBReplication`](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/DynamoDBReplicationServiceRolePolicy), and it allows DynamoDB to manage cross-Region replication for global tables on your behalf. +## Service-linked roles for global tables @@ -17 +15 @@ When you create a global table for the first time, Amazon DynamoDB automatically -When applying resource-based policies to replicas, ensure that you don't deny any of the permissions defined in the `AWSServiceRoleForDynamoDBReplication` policy to the SLR principal, as this will interrupt replication. If you deny required SLR permissions, replication to and from affected replicas will stop, and the replica table status will change to `REPLICATION_NOT_AUTHORIZED`. +DynamoDB global tables rely on service-linked roles (SLRs) to manage cross-Region replication and auto-scaling capabilities. @@ -19 +17 @@ When applying resource-based policies to replicas, ensure that you don't deny an - * If a replica in a global table configured for multi-Region eventual consistency (MREC) remains in the `REPLICATION_NOT_AUTHORIZED` state for more than 20 hours, the replica is irreversibly converted to a single-Region DynamoDB table. +You only need to set up these roles once per AWS account. Once created, the same roles serve all global tables in your account. For more information about service-linked roles, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the _IAM User Guide_. @@ -21 +19 @@ When applying resource-based policies to replicas, ensure that you don't deny an - * Global table replicas configured for multi-Region strong consistency (MRSC) return an `AccessDeniedException` for write and strongly consistent read operations. If a replica in a MRSC global table remains in the `REPLICATION_NOT_AUTHORIZED` state for more than seven days, the replica becomes permanently inaccessible, and write and strongly consistent read operations will continue to fail with an error. Some management operations like replica deletion will succeed. +### Replication service-linked role @@ -22,0 +21 @@ When applying resource-based policies to replicas, ensure that you don't deny an +Amazon DynamoDB automatically creates the `AWSServiceRoleForDynamoDBReplication` service-linked role (SLR) when you create your first global table. This role manages cross-Region replication for you. @@ -23,0 +23 @@ When applying resource-based policies to replicas, ensure that you don't deny an +When applying resource-based policies to replicas, ensure that you don't deny any of the permissions defined in the `AWSServiceRoleForDynamoDBReplicationPolicy` to the SLR principal, as this will interrupt replication. If you deny required SLR permissions, replication to and from affected replicas will stop, and the replica table status will change to `REPLICATION_NOT_AUTHORIZED`. @@ -24,0 +25 @@ When applying resource-based policies to replicas, ensure that you don't deny an + * For multi-Region eventual consistency (MREC) global tables, if a replica remains in the `REPLICATION_NOT_AUTHORIZED` state for more than 20 hours, the replica is irreversibly converted to a single-Region DynamoDB table. @@ -26 +27 @@ When applying resource-based policies to replicas, ensure that you don't deny an -### Auto scaling service-linked role + * For multi-Region strong consistency (MRSC) global tables, denying required permissions results in `AccessDeniedException` for write and strongly consistent read operations. If a replica remains in the `REPLICATION_NOT_AUTHORIZED` state for more than seven days, the replica becomes permanently inaccessible, and write and strongly consistent read operations will continue to fail with an error. Some management operations like replica deletion will succeed. @@ -28 +28,0 @@ When applying resource-based policies to replicas, ensure that you don't deny an -When you configure a global table for provisioned capacity mode, you must also configure auto scaling for the global table. DynamoDB auto scaling uses the AWS Application Auto Scaling Service to dynamically adjust provisioned throughput capacity on your global table replicas. The Application Auto Scaling service creates a service-linked role (SLR) named `AWSServiceRoleForApplicationAutoScaling_DynamoDBTable` to manage provisioned table capacity and create CloudWatch alarms. When applying resource-based policies to replicas, ensure that you don't deny any of the permissions defined in the `AWSServiceRoleForApplicationAutoScaling_DynamoDBTable` policy to the Application Auto Scaling Service SLR principal, as this will interrupt auto scaling functionality. @@ -30 +29,0 @@ When you configure a global table for provisioned capacity mode, you must also c -For more information about service-linked roles, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the _IAM User Guide_. @@ -32 +30,0 @@ For more information about service-linked roles, see [Using service-linked roles -### Required permissions for global tables @@ -34 +32 @@ For more information about service-linked roles, see [Using service-linked roles -To create a replica, you must have the following permission on the table or replica to which you are adding new replicas: +### Auto scaling service-linked role @@ -36 +34 @@ To create a replica, you must have the following permission on the table or repl - * `dynamodb:UpdateTable` +When configuring a global table for provisioned capacity mode, auto scaling must be configured for the global table. DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your global table replicas. The Application Auto Scaling service creates a service-linked role (SLR) named [`AWSServiceRoleForApplicationAutoScaling_DynamoDBTable`](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-service-linked-roles.html). This service-linked role is automatically created in your AWS account when you first configure auto scaling for a DynamoDB table. It allows Application Auto Scaling to managed provisioned table capacity and create CloudWatch alarms. @@ -37,0 +36 @@ To create a replica, you must have the following permission on the table or repl +When applying resource-based policies to replicas, ensure that you don't deny any permissions defined in the [`AWSApplicationAutoscalingDynamoDBTablePolicy`](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingDynamoDBTablePolicy.html) to the Application Auto Scaling SLR principal, as this will interrupt auto scaling functionality. @@ -38,0 +38 @@ To create a replica, you must have the following permission on the table or repl +### Example IAM policies for service-linked roles @@ -39,0 +40 @@ To create a replica, you must have the following permission on the table or repl +An IAM policy with the following condition does not impact required permissions to the DynamoDB replication SLR and AWS Auto Scaling SLR. This condition can be added to otherwise broadly restrictive policies to avoid unintentionally interrupting replication or auto scaling. @@ -41 +42 @@ To create a replica, you must have the following permission on the table or repl -To create a replica, you must have the following permissions in each Region where a new replica will be created: +The following example shows how to exclude service-linked role principals from deny statements: @@ -43 +43,0 @@ To create a replica, you must have the following permissions in each Region wher - * `dynamodb:CreateTable` @@ -45 +45,8 @@ To create a replica, you must have the following permissions in each Region wher - * `dynamodb:CreateTableReplica` + "Condition": { + "StringNotEquals": { + "aws:PrincipalArn": [ + "arn:aws::iam::111122223333:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication", + "arn:aws::iam::111122223333:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" + ] + } + } @@ -46,0 +54 @@ To create a replica, you must have the following permissions in each Region wher +## How global tables use AWS IAM @@ -47,0 +56 @@ To create a replica, you must have the following permissions in each Region wher +The following sections describe the required permissions for different global table operations and provide policy examples to help you configure the appropriate access for your users and applications. @@ -48,0 +58 @@ To create a replica, you must have the following permissions in each Region wher +###### Note @@ -50 +60 @@ To create a replica, you must have the following permissions in each Region wher -To create a witness, you must have the following permission in the Region where a new witness will be created: +All permissions described must be applied to the specific table resource ARN in the affected Region(s). The table resource ARN follows the format `arn:aws:dynamodb:region:account-id:table/table-name`, where you need to specify your actual Region, account ID, and table name values. @@ -52 +62 @@ To create a witness, you must have the following permission in the Region where - * `dynamodb:CreateGlobalTableWitness` +###### Topics @@ -53,0 +64 @@ To create a witness, you must have the following permission in the Region where + * Creating global tables and adding replicas @@ -54,0 +66 @@ To create a witness, you must have the following permission in the Region where + * Updating global tables @@ -55,0 +68 @@ To create a witness, you must have the following permission in the Region where + * Deleting global tables and removing replicas @@ -57 +69,0 @@ To create a witness, you must have the following permission in the Region where -To delete a replica, you must have the following permissions on the replica: @@ -59 +70,0 @@ To delete a replica, you must have the following permissions on the replica: - * `dynamodb:DeleteTable` @@ -61 +71,0 @@ To delete a replica, you must have the following permissions on the replica: - * `dynamodb:DeleteTableReplica` @@ -62,0 +73 @@ To delete a replica, you must have the following permissions on the replica: +### Creating global tables and adding replicas @@ -63,0 +75 @@ To delete a replica, you must have the following permissions on the replica: +DynamoDB global tables support two consistency modes: multi-Region eventual consistency (MREC) and multi-Region strong consistency (MRSC). MREC global tables can have multiple replicas across any number of Regions and provide eventual consistency. MRSC global tables require exactly three Regions (three replicas or two replicas and one witness) and provide strong consistency with zero recovery point objective (RPO). @@ -64,0 +77 @@ To delete a replica, you must have the following permissions on the replica: +The permissions required to create global tables depend on whether you're creating a global table with or without a witness. @@ -66 +79 @@ To delete a replica, you must have the following permissions on the replica: -To delete a witness, you must have the following permissions on the witness: +#### Permissions for creating global tables @@ -68 +81 @@ To delete a witness, you must have the following permissions on the witness: - * `dynamodb:DeleteGlobalTableWitness` +The following permissions are required both for initial global table creation and for adding replicas later. These permissions apply to both Multi-Region Eventual Consistency (MREC) and Multi-Region Strong Consistency (MRSC) global tables. @@ -69,0 +83 @@ To delete a witness, you must have the following permissions on the witness: + * Global tables require cross-Region replication, which DynamoDB manages through the AWSServiceRoleForDynamoDBReplication service-linked role (SLR). The following permission allows DynamoDB to create this role automatically when you create a global table for the first time: @@ -70,0 +85 @@ To delete a witness, you must have the following permissions on the witness: + * `iam:CreateServiceLinkedRole` @@ -71,0 +87 @@ To delete a witness, you must have the following permissions on the witness: + * To create a global table or add a replica using the [`UpdateTable`](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) API, you must have the following permission on the source table resource: @@ -73 +89 @@ To delete a witness, you must have the following permissions on the witness: -To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` API, you must have the following permissions in all Regions containing replicas: + * `dynamodb:UpdateTable` @@ -75 +91 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DeleteScalingPolicy` + * You must have the following permissions on the table resource in the Regions for the replicas to be added: @@ -77 +93 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DeleteScheduledAction` + * `dynamodb:CreateTable` @@ -79 +95 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DeregisterScalableTarget` + * `dynamodb:CreateTableReplica` @@ -81 +97 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DescribeScalableTargets` + * `dynamodb:Query` @@ -83 +99 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DescribeScalingActivities` + * `dynamodb:Scan` @@ -85 +101 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DescribeScalingPolicies` + * `dynamodb:UpdateItem` @@ -87 +103 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:DescribeScheduledActions` + * `dynamodb:PutItem` @@ -89 +105 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:PutScalingPolicy` + * `dynamodb:GetItem` @@ -91 +107 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:PutScheduledAction` + * `dynamodb:DeleteItem` @@ -93 +109 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` - * `application-autoscaling:RegisterScalableTarget` + * `dynamodb:BatchWriteItem` @@ -98 +114 @@ To update a replica auto scaling policy with the `UpdateTableReplicaAutoScaling` -To update Time to Live settings with the `UpdateTimeToLive` API, you must have the following permission on all replicas: +#### Additional permissions for MRSC global tables using a witness @@ -100 +116 @@ To update Time to Live settings with the `UpdateTimeToLive` API, you must have t - * `dynamodb:UpdateTimeToLive` +When creating a Multi-Region Strong Consistency (MRSC) global table with a witness Region, you must have the following permission on the table resource in all participating Regions (including both replica Regions and the witness Region): @@ -101,0 +118 @@ To update Time to Live settings with the `UpdateTimeToLive` API, you must have t + * `dynamodb:CreateGlobalTableWitness` @@ -105 +121,0 @@ To update Time to Live settings with the `UpdateTimeToLive` API, you must have t -### Example IAM policies @@ -107 +123 @@ To update Time to Live settings with the `UpdateTimeToLive` API, you must have t -#### Example: Manage a global table +#### Example IAM policies for creating global tables @@ -109 +125 @@ To update Time to Live settings with the `UpdateTimeToLive` API, you must have t -The following IAM policy grants permissions to create and delete global table replicas and witnesses for the "users" table in three Regions: +The following identity-based policy allows you to create an MREC or MRSC global table named "users" across three Regions, including creating the required DynamoDB replication service-linked role. @@ -156 +172 @@ JSON -#### Example: Exclude required SLR permissions from wildcard deny policies +The following identity-based policy allows you to create DynamoDB global tables replicas across specific Regions using the [aws:RequestedRegion](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion) condition key, including creating the required DynamoDB replication service-linked role. @@ -158 +174 @@ JSON -An IAM policy with the following condition does not impact required permissions to the DynamoDB replication SLR and AWS Auto Scaling SLR. This condition can be added to otherwise broadly restrictive policies to avoid unintentionally interrupting replication or auto scaling: +JSON @@ -160,0 +177,14 @@ An IAM policy with the following condition does not impact required permissions +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "AllowAddingReplicasToSourceTable", + "Effect": "Allow", + "Action": [ + "dynamodb:UpdateTable" + ], + "Resource": "*", @@ -162,4 +192,40 @@ An IAM policy with the following condition does not impact required permissions - "StringNotEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::YOUR_ACCOUNT_ID:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication", - "arn:aws:iam::YOUR_ACCOUNT_ID:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" + "StringEquals": { + "aws:RequestedRegion": [ + "us-east-1" + ] + } + } + }, + { + "Sid": "AllowCreatingReplicas", + "Effect": "Allow", + "Action": [ + "dynamodb:CreateTable", + "dynamodb:CreateTableReplica", + "dynamodb:UpdateTable", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:UpdateItem",