Is it possible to setup dynamoDb permission scope to only table with some prefix?

Question

Let say I am using shared aws account. I want to setup my tables with prefix "x-team", for example:

• x-team_customer_order
• x-team_customer

Another team also has other tables with different prefix naming scheme. To limit our application scope, we want to setup different credential used by each team.

In this doc http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ddb-api-permissions-ref.html, they use wildcard *, but there is no illustration that it is possible to use wildcard for table's prefix-name scheme.

Answer 1

Yes it is possible.

This policy would allow a user to create, read, update and delete tables that are named with their username and an underscore:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllAPIActionsOnUserSpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:us-west-2:494057818753:table/${aws:username}_*"
        },
        {
            "Sid": "AdditionalPrivileges",
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListTables",
                "dynamodb:DescribeTable"
            ],
            "Resource": "*"
        }
    ]
}

This is very briefly mentioned at the bottom of this example in the AWS DynamoDB documentation.

Obviously if you want to use prefixes that are different than the username you can do it, you'll just have to make separate policies for every prefix you want to support.