AWS Security ChangesHomeSearch

AWS amazondynamodb high security documentation change

Service: amazondynamodb · 2026-07-04 · Security-related high

File: amazondynamodb/latest/developerguide/rbac-examples.md

Summary

Updated principal ARN in example policy and added critical warning/examples about avoiding policy lockout when using Deny statements. Added ArnNotEquals condition to exempt admin roles.

Security assessment

Addresses security risk of accidental self-lockout when configuring resource policies. Explicitly warns about dangerous Deny configurations and provides mitigation (using ArnNotEquals). Evidence: Error message and example show concrete prevention of admin lockout scenarios.

Diff

diff --git a/amazondynamodb/latest/developerguide/rbac-examples.md b/amazondynamodb/latest/developerguide/rbac-examples.md
index e9197a585..37333aa70 100644
--- a//amazondynamodb/latest/developerguide/rbac-examples.md
+++ b//amazondynamodb/latest/developerguide/rbac-examples.md
@@ -108 +108 @@ JSON
-            "AWS": "arn:aws:iam::111122223333:user/role-name"
+            "AWS": "arn:aws:iam::111122223333:user/username"
@@ -254,0 +255,4 @@ You can also deny all access to DynamoDB resources except when the source is a s
+A resource-based policy that contains only a `Deny` statement with `"Principal": "*"` denies access to every principal, including your own ability to update or delete the policy later. If you attach a policy that would lock you out in this way, DynamoDB rejects it with the following error: _The new resource policy will not allow you to update the resource policy in the future._ Adding a separate `Allow` statement does not resolve this, because an explicit `Deny` always overrides an `Allow`. To deny access to everyone except a specific VPC endpoint while retaining the ability to manage the policy, exempt the administering principal from the `Deny` statement by adding an `ArnNotEquals` condition on `aws:PrincipalArn`, as shown in the following example.
+
+###### Important
+
@@ -276,0 +281,3 @@ JSON
+            },
+            "ArnNotEquals":{
+              "aws:PrincipalArn":"arn:aws:iam::123456789012:role/AdminRole"