AWS Security ChangesHomeSearch

AWS amazondynamodb high security documentation change

Service: amazondynamodb · 2026-02-19 · Security-related high

File: amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md

Summary

Added warning about policy precedence and recommendation to use explicit Deny statements

Security assessment

Addresses critical security gap: unconditional identity policies override resource policy conditions, potentially leading to unintended data access. Recommends explicit Deny as mitigation.

Diff

diff --git a/amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md b/amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md
index 241c82978..9e0204898 100644
--- a//amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md
+++ b//amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md
@@ -14,0 +15,4 @@ If the IAM principal is from the same account as the resource owner, a resource-
+###### Important
+
+If an identity-based policy grants unconditional access to a DynamoDB table (for example, `dynamodb:GetItem` with no conditions), a resource-based policy that allows access with conditions on `dynamodb:Attributes` won't restrict that access. The identity-based policy's unconditional allow takes precedence, and the resource-based policy's conditions are not applied as restrictions. To restrict access to specific attributes, use an explicit `Deny` statement instead of relying solely on conditional `Allow` statements in the resource-based policy.
+