This error occurs when your IAM role or user lacks the necessary permissions to perform operations on a DynamoDB table. The fix requires attaching the correct IAM policies with appropriate DynamoDB actions.
The AccessDeniedException indicates that AWS Identity and Access Management (IAM) has blocked your request because the credentials you're using don't have permission to perform the requested DynamoDB operation. DynamoDB uses IAM to control access to tables and operations, requiring explicit permissions for each action like GetItem, PutItem, Query, or Scan. When you attempt to access a DynamoDB table, AWS evaluates your IAM policies to determine whether you have the necessary permissions. If your IAM user, role, or the associated policies don't explicitly grant access to the specific DynamoDB action and resource, AWS denies the request and returns an AccessDeniedException. This error is part of AWS's security model that follows the principle of least privilege—by default, all access is denied unless explicitly allowed. This means you must configure IAM policies to grant the exact permissions your application needs.
First, identify which IAM credentials are making the request. For Lambda functions, check the execution role. For EC2 instances, check the instance profile role. For local development, check your AWS CLI configuration.
# Check current AWS identity
aws sts get-caller-identity
# This returns the User ARN, Account, and User IDNote the ARN shown—this is the identity that needs DynamoDB permissions.
Examine the IAM policies attached to your user or role to see what DynamoDB permissions are currently granted.
# List policies attached to a role
aws iam list-attached-role-policies --role-name YourRoleName
# Get policy details
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/YourPolicyName --version-id v1Look for statements that include dynamodb:GetItem or dynamodb:* actions. Check if the Resource ARN matches your table.
Create or update an IAM policy to grant the necessary DynamoDB permissions. For basic read access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/YourTableName"
}
]
}For write operations, add actions like dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:DeleteItem.
Attach this policy to your IAM role:
aws iam put-role-policy --role-name YourRoleName --policy-name DynamoDBAccess --policy-document file://dynamodb-policy.jsonReplace the region, account ID, and table name with your actual values.
Ensure your IAM policy references the correct table ARN and region. A common mistake is referencing the wrong region.
# Get table information including ARN
aws dynamodb describe-table --table-name YourTableName --region us-east-1The table ARN format is: arn:aws:dynamodb:region:account-id:table/table-name
If your application runs in us-west-2 but your policy specifies us-east-1, the permissions won't apply.
If your application runs in a VPC and uses a VPC endpoint for DynamoDB, verify the endpoint policy allows the required actions.
# List VPC endpoints
aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=com.amazonaws.us-east-1.dynamodbThe VPC endpoint policy must allow DynamoDB operations. If it's restrictive, update it to permit your required actions:
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "*"
}
]
}After updating the IAM policies, test your access to the DynamoDB table.
# Test GetItem operation
aws dynamodb get-item \
--table-name YourTableName \
--key '{"id": {"S": "test-id"}}' \
--region us-east-1If you still get AccessDeniedException, wait a few seconds for IAM policy changes to propagate, then try again. IAM changes are eventually consistent and may take up to 5 seconds to take effect.
KMS Encryption Considerations: If your DynamoDB table uses customer-managed KMS keys for encryption at rest, your IAM role needs additional KMS permissions. You must grant kms:Decrypt for read operations and kms:GenerateDataKey and kms:Encrypt for write operations on the KMS key used by the table.
Attribute-Level Access Control: When using fine-grained access control with condition keys like dynamodb:LeadingKeys or dynamodb:Attributes, ensure your policy allows access to all attributes your query requests. If your GetItem request doesn't specify attributes (returns all attributes), but your policy only allows specific attributes, you'll get AccessDeniedException.
Cross-Account Access: For cross-account DynamoDB access, you need both an IAM policy on the calling account's role (allowing the action) and a resource-based policy on the DynamoDB table (trusting the calling account). Use the table's resource policy to grant permissions to external accounts.
Service Control Policies (SCPs): If you're in an AWS Organization, SCPs can override IAM policies. Even if your IAM policy grants DynamoDB access, an SCP at the organization or OU level can deny it. Check with your AWS administrator if you suspect SCP restrictions.
Temporary Credentials: When using assumed roles or temporary credentials (like from STS AssumeRole), verify the role's trust policy allows your identity to assume it, and that the session policy (if any) doesn't restrict DynamoDB access.
CloudTrail Debugging: Enable CloudTrail to see detailed access denied events. The CloudTrail log shows the exact action attempted, the resource ARN, the principal making the request, and the reason for denial, which is invaluable for troubleshooting complex permission issues.
ValidationException: The provided key element does not match the schema
How to fix "ValidationException: The provided key element does not match the schema" in DynamoDB
UnrecognizedClientException: The security token included in the request is invalid
How to fix "UnrecognizedClientException: The security token included in the request is invalid" in DynamoDB
TransactionCanceledException: Transaction cancelled
How to fix "TransactionCanceledException: Transaction cancelled" in DynamoDB
RequestLimitExceeded: Throughput exceeds the current throughput limit for your account
How to fix "RequestLimitExceeded: Throughput exceeds the current throughput limit for your account" in DynamoDB
InternalServerError: Internal Server Error
How to fix "InternalServerError" in DynamoDB