Posted On: Oct 31, 2013

We are excited to announce Fine-Grained Access Control (FGAC), a novel security feature for Amazon DynamoDB. Requests to a DynamoDB table can now be restricted to specific items and even attributes. Additionally, requests can now be authenticated and authorized directly by DynamoDB.

FGAC gives a DynamoDB table owner a high degree of control over data in the table. Specifically, the table owner can indicate who (caller) can access which items or attributes of the table and perform what actions (read / write capability). FGAC is used in concert with AWS Identity and Access Management (IAM), which manages the security credentials and the associated permissions.

Any application that tracks information in a DynamoDB table, where the end user (or application client acting on behalf of an end user) wants to read or modify the table directly, without a middle-tier service, can benefit from FGAC. For instance, a developer of a mobile game can use FGAC to track the top score of every user in a DynamoDB table. FGAC will ensure that the application client is only able to modify the top score for the user that is currently running the application.

To enable FGAC, please use the Access Control Policy Generator in the DynamoDB Console. You can learn more by visiting the Fine-Grained Access Control Documentation page or Jeff Barr’s blog post.