All IAM policy templates
AWS IAM policy template • DynamoDB

DynamoDB CRUD (Single Table)

Create, read, update, delete items in one table — no DeleteTable, no cross-table access.

Policy

Replace the placeholder ARNs (YOUR-BUCKET-NAME, ACCOUNT_ID, REGION, etc.) with your real resource identifiers before use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CrudOnOneTable",
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:Query",
        "dynamodb:BatchGetItem",
        "dynamodb:BatchWriteItem"
      ],
      "Resource": [
        "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/YOUR-TABLE-NAME",
        "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/YOUR-TABLE-NAME/index/*"
      ]
    }
  ]
}

Why it's scoped this way

  • Both the table ARN and its /index/* ARN are listed explicitly — dynamodb:Query against a GSI fails with AccessDenied if only the base table ARN is granted, which is a common cause of "works on the base table, breaks on the index" bugs.
  • No dynamodb:DeleteTable, dynamodb:UpdateTable, or dynamodb:CreateTable — this role can operate on items but cannot destroy or reshape the table itself.
  • No dynamodb:Scan — Scan reads the entire table and is rarely what an application role needs; omit it unless a specific access pattern requires a full scan.

Hardening it further

  • If the caller only ever needs one item type, add a dynamodb:LeadingKeys condition to restrict which partition-key values it can touch (useful for multi-tenant tables).
  • Split read (Get/Query) and write (Put/Update/Delete) into separate roles if the caller only ever does one or the other.

Paste your finished policy into the free AI-Powered IAM analyzer to catch anything you loosened while filling it in.

Related templates

Check your finished policy — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.