AWS amazondynamodb high security documentation change
Summary
Added resource-based policy configuration for multi-account replication
Security assessment
The change introduces explicit IAM conditions (SourceAccount/SourceArn) to prevent unauthorized replication access, addressing potential privilege escalation vulnerabilities in multi-account setups. It documents critical security controls for cross-account replication.
Diff
diff --git a/amazondynamodb/latest/developerguide/V2globaltables_MA.tutorial.md b/amazondynamodb/latest/developerguide/V2globaltables_MA.tutorial.md index 3d009443b..7973e0bf1 100644 --- a//amazondynamodb/latest/developerguide/V2globaltables_MA.tutorial.md +++ b//amazondynamodb/latest/developerguide/V2globaltables_MA.tutorial.md @@ -95 +95,29 @@ JSON - 3. Keep the other default settings and choose **Submit**. + 3. In the **Resource-based policy** section, add the following resource policy for the table in this account (`444455556666`). Multi-account global table replication is bi-directional, so each replica table must grant the DynamoDB replication service and the other participating account the permissions required to replicate. This mirrors the policy you added in the first account, with the account references reversed: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DynamoDBActionsNeededForSteadyStateReplication", + "Effect": "Allow", + "Action": [ + "dynamodb:ReadDataForReplication", + "dynamodb:WriteDataForReplication", + "dynamodb:ReplicateSettings" + ], + "Resource": "arn:aws:dynamodb:us-east-1:444455556666:table/MusicTable", + "Principal": {"Service": ["replication.dynamodb.amazonaws.com"]}, + "Condition": { + "StringEquals": { + "aws:SourceAccount": ["444455556666","111122223333"], + "aws:SourceArn": [ + "arn:aws:dynamodb:us-east-1:444455556666:table/MusicTable", + "arn:aws:dynamodb:us-east-2:111122223333:table/MusicTable" + ] + } + } + } + ] + } + + 4. Keep the other default settings and choose **Submit**.