AmazonDynamoDBFullAccess Is Too Much Access

[rsharrott]

AmazonDynamoDBFullAccess gives full access to every DynamoDB table in a given AWS account. This is a security risk as this will not likely be given the same scrutiny as other code.

It would be better to ship a tighter policy that explicitly lays out only the code needs to access the table, and provision the table in the cloudformation template.

- PolicyName: AllowDynamoUpdate
        PolicyDocument:
          Statement:
          - Effect: Allow
            Action:
            - dynamodb:DeleteItem
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:UpdateItem
            - dynamodb:GetRecords
            Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${rDynamoDbtable}
          Version: 2012-10-17

[SachinBadgujar]

That is a great point @rsharrott. Can you please look into this @duchatran

[himanshu219]

actually we didn't created the table in cloudformation since customers would like to upgrade the SAM application as we release new version and the table stores the book keeping records which would risk of it being recreated although it would be rare since update operation only updates the changed resources. To your point yes we should decrease the scope to that table only.