0

I try to create a policy which denies access to a dynamodb table.

I've added ReadOnlyAccess (full) and I want that the user can not read/use/put data in one table

The policy looks like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Effect": "Deny",
            "Resource": "arn:aws:dynamodb:xx-xx-xx:xxxxxxx:table/some-name"
        }
    ]
}

The user can now not check data in the some-name table which is fine but when I list the tables I see a load of random "failed to load" tables. I can click on them and access the data but I don't want to see failed to load (except then possible for the some-name table).

What am I doing wrong?

Cadoiz
  • 1,446
  • 21
  • 31
mealesbia
  • 845
  • 2
  • 12
  • 28
  • Can you provide an example of these "failed to load" messages? A screenshot, or the exact message and where it appears? You might also be able to use AWS CloudTrail to see which API calls were made by the console that are being denied. – John Rotenstein May 19 '20 at 12:03

1 Answers1

2

I cannot find a primary source, but judging from answers on this question IAM policy to allow access to DynamoDB console for specific tables, the "dynamodb:DescribeTable" permissions might always be required for all tables for the console to work properly.

I guess it makes sense though, since I dont think the returned tables from "ListTables" can be restricted, and if the console execute a "DescribeTable" on the restricted table, it will get an error.

Christian
  • 558
  • 2
  • 13