How do I troubleshoot the error AccessDeniedException when I'm trying to access an Amazon DynamoDB table?

Last updated: 2022-08-29

I'm trying to access an Amazon DynamoDB table, and I get the error AccessDeniedException.

Short description

You might get this error due to the following reasons:

  • The AWS Identity and Access Management (IAM) role that you used to access the DynamoDB table doesn't have the required permissions.
  • Access to the DynamoDB table is restricted at organization level.
  • The policy associated with the Amazon Virtual Private Cloud (Amazon VPC) endpoint for DynamoDB restricts the operation.
  • You activated multi-factor authentication (MFA) and tried to access the table without signing in using MFA.
  • You use a customer managed key or an AWS managed key to protect your DynamoDB tables.

Resolution

The IAM role doesn't have the required permissions

DynamoDB doesn't support resource-based policies. When you create a DynamoDB table, be sure to grant the required permissions to the IAM role that you use to access the table. You can attach the policies to IAM users, groups, or roles to grant the required permissions. For more information, see Using identity-based policies (IAM policies) with Amazon DynamoDB.

You can use an AWS Command Line Interface (AWS CLI) script to troubleshoot IAM permission API call failures.

Note: This AWS CLI script requires the jq command line JSON processor. For the tutorial and download instructions, see JSON output format. For distributions that use the yum package, run the following command:

$ sudo yum install jq

Run the following AWS CLI command:

( echo "Time,Identity ARN,Event ID,Service,Action,Error,Message";
>   aws cloudtrail lookup-events --start-time "2022-08-04T13:23:00Z" --end-time "2022-08-04T13:27:00Z" --query "Events[*].CloudTrailEvent" --output text \
>     | jq -r ". | select(.userIdentity.arn == \"your-ARN\" and .eventType == \"AwsApiCall\" and .errorCode != null
>     and (.errorCode | ascii_downcase | (contains(\"accessdenied\") or contains(\"unauthorized\"))))
>     | [.eventTime, .userIdentity.arn, .eventID, .eventSource, .eventName, .errorCode, .errorMessage] | @csv"
> ) | column -t -s'",'

Note: Be sure to replace your-ARN with the IAM ARN for your resources.

The output of this command looks similar to the following:

Time                 Identity ARN                           Event ID                             Service                Action     Error Message 
2022-08-04T13:24:14Z arn:aws:iam::111122223333:user/article 42f420fe-ef06-43be-98a6-d5a0a90d7b4c dynamodb.amazonaws.com ListTables AccessDenied User: arn:aws:iam::111122223333:user/article is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:111122223333:table/* with an explicit deny in an identity-based policy
2022-08-04T13:51:22Z arn:aws:iam::111122223333:user/article b174e4e1-94a7-403e-a15f-1234aec796a6 dynamodb.amazonaws.com ListTables AccessDenied User: arn:aws:iam::111122223333:user/article is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:111122223333:table/* because no identity-based policy allows the dynamodb:ListTables action

The first message in this example means that you are unable to perform the ListTables action because you have attached a permission to the user 111122223333 that denies this operation. The second message means that no identity-based policy allows the dynamodb:ListTables action.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Use the following best practices to be sure that your IAM role has the required permissions to access the DynamoDB table:

  • Be sure that the IAM role isn't included in any DENY statement of the trust policy.
  • Be sure that the IAM role is included in the ALLOW statement of the trust policy.
  • Be sure that all IAM conditions specified in the ALLOW statement are supported by the sts:AssumeRole API action.
  • If you're trying to access the DynamoDB table through AWS CLI, be sure that you used the correct access key ID and secret access key.

For more information, see How can I get data to assist in troubleshooting IAM permission access denied or unauthorized errors?

Access to the DynamoDB table is restricted at organization level

If you get the following error when you try to access the DynamoDB table, the access was denied due to a service control policy.

User: arn:aws:iam::11111222333:user/Admin is not authorized to perform: 
dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:11111222333:table with an explicit deny in a service control policy

To troubleshoot this issue, check the policy that's defined at the organization level.

Note: If you deny DynamoDB operations on an organization level, then none of the IAM roles present in that organization or AWS account can access DynamoDB in spite of having the required permissions.

The Amazon VPC endpoint policy restricts the operation

You can use an Amazon VPC to improve the privacy and security of data transfer between the DynamoDB table and your application. When you create the endpoint, you might choose to restrict access to the table for certain users by attaching an IAM resource policy with an explicit or implicitly deny to the VPC endpoint. If you restricted access to the IAM user that's trying to access the table, then you get an error similar to the following:

An error occurred (AccessDeniedException) when calling the ListTables operation: User: arn:aws:iam::111222333444:user/Admin is not authorized to perform: dynamodb:ListTables on resource: arn:aws:dynamodb:us-east-1:11111222333:table/* with an explicit deny in a VPC endpoint policy

This error indicates that there is an explicit DENY statement in the VPC endpoint policy that denies the ListTables operation for the user Admin.

To view the VPC endpoint policy, run the AWS CLI command describe-vpc-endpoints.

-or-

Do the following:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints.
  3. Select the VPC endpoint.
  4. Choose the Policy tab to view the endpoint policy.

You tried to access the table without signing in using MFA

Suppose that you configured MFA in your account with the following identity-based policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllExceptListedIfNoMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
      ],
      "Resource": "",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

In this case, all actions except those that are required to authenticate using MFA are denied. If the IAM user isn't signed in with MFA, then all actions that are not listed in the above policy are denied, including DynamoDB actions.

Your DynamoDB table uses the customer managed key or AWS managed key

When you create a DynamoDB table with a customer managed key or an AWS Key Management Service (AWS KMS) key, the policies on that KMS key must give DynamoDB permission to use the key on your behalf.

Be sure that the IAM user that's accessing the table has the following minimum permissions on the AWS KMS key:

  • DynamoDB uses the AWS KMS key to generate and encrypt a unique data key for the table, called the table key. To generate and encrypt this key, you must have the kms:GenerateDataKey permission.
  • The table key is used to secure the data encryption keys that are used to encrypt the table data. If the customer managed key is modified for a table, then DynamoDB produces a new table key. Then, DynamoDB uses the new table key to re-encrypt the data encryption keys. To do this operation, you must have the kms:ReEncrypt permission.
  • DynamoDB uses the kms:DescribeKey operation to determine if the customer managed key you selected exists within the account and Region. If the key is randomly removed, the DescribeKey call returns an error.
  • DynamoDB uses grants to set permissions on a customer managed key. These grant permissions are used when DynamoDB performs background system maintenance and continuous data protection tasks. Grant permissions are also used to generate table keys. Therefore, be sure that you have the kms:CreateGrant permission.

For more information, see How Amazon DynamoDB uses AWS KMS.


Did this article help?


Do you need billing or technical support?