AWS amazondynamodb high security documentation change
Summary
Added warning about policy precedence and recommendation to use explicit Deny statements
Security assessment
Addresses critical security gap: unconditional identity policies override resource policy conditions, potentially leading to unintended data access. Recommends explicit Deny as mitigation.
Diff
diff --git a/amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md b/amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md index 241c82978..9e0204898 100644 --- a//amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md +++ b//amazondynamodb/latest/developerguide/rbac-auth-iam-id-based-policies-DDB.md @@ -14,0 +15,4 @@ If the IAM principal is from the same account as the resource owner, a resource- +###### Important + +If an identity-based policy grants unconditional access to a DynamoDB table (for example, `dynamodb:GetItem` with no conditions), a resource-based policy that allows access with conditions on `dynamodb:Attributes` won't restrict that access. The identity-based policy's unconditional allow takes precedence, and the resource-based policy's conditions are not applied as restrictions. To restrict access to specific attributes, use an explicit `Deny` statement instead of relying solely on conditional `Allow` statements in the resource-based policy. +