I try to create a policy which denies access to a dynamodb table.
I've added ReadOnlyAccess (full) and I want that the user can not read/use/put data in one table
The policy looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Effect": "Deny",
"Resource": "arn:aws:dynamodb:xx-xx-xx:xxxxxxx:table/some-name"
}
]
}
The user can now not check data in the some-name table which is fine but when I list the tables I see a load of random "failed to load" tables. I can click on them and access the data but I don't want to see failed to load (except then possible for the some-name table).
What am I doing wrong?
I cannot find a primary source, but judging from answers on this question IAM policy to allow access to DynamoDB console for specific tables, the "dynamodb:DescribeTable" permissions might always be required for all tables for the console to work properly.
I guess it makes sense though, since I dont think the returned tables from "ListTables" can be restricted, and if the console execute a "DescribeTable" on the restricted table, it will get an error.