AWS Security ChangesHomeSearch

AWS amazondynamodb high security documentation change

Service: amazondynamodb · 2026-07-04 · Security-related high

File: amazondynamodb/latest/developerguide/Cognito.Credentials.md

Summary

Changed DynamoDB permissions for unauthenticated Cognito users from full access to read-only, adding explanation about least privilege principle

Security assessment

Reducing permissions from AmazonDynamoDBFullAccess to AmazonDynamoDBReadOnlyAccess explicitly follows security best practices by limiting unauthenticated users to read operations only, preventing potential data modification/deletion risks

Diff

diff --git a/amazondynamodb/latest/developerguide/Cognito.Credentials.md b/amazondynamodb/latest/developerguide/Cognito.Credentials.md
index bef95e0fc..54fdf05e4 100644
--- a//amazondynamodb/latest/developerguide/Cognito.Credentials.md
+++ b//amazondynamodb/latest/developerguide/Cognito.Credentials.md
@@ -62 +62 @@ JSON
-  4. Grant the `Cognito_DynamoPoolUnauth` role full access to DynamoDB by attaching a managed policy (`AmazonDynamoDBFullAccess`). 
+  4. Grant the `Cognito_DynamoPoolUnauth` role read-only access to DynamoDB by attaching a managed policy (`AmazonDynamoDBReadOnlyAccess`). Because this role is assumed by unauthenticated users, follow the principle of least privilege and grant only the permissions the role actually needs. 
@@ -64 +64 @@ JSON
-        aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess \
+        aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess \