2

I'm trying to hide a sensitive DynamoDB attribute from being visible in the AWS Console for certain IAM users viewing a specific DynamoDB table.

I tried this approach (and many variations of it):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Scan",
        "dynamodb:Query"
      ],
      "Resource": "arn:aws:dynamodb:<region>:<account-id>:table/my-table",
      "Condition": {
        "ForAnyValue:StringEquals": {  // Also tried ForAllValues
          "dynamodb:Attributes": [
            "sensitive_attribute"
          ]
        }
      }
    }
  ]
}

But I'm still able to see the sensitive attribute in the console when signed in as the restricted user.

Is it possible to hide a specific attribute in the AWS Console for DynamoDB tables? If so, what's the correct IAM policy approach?

Improve this question

1 Answer 1

Reset to default
2

Is it possible to hide a specific attribute in the AWS Console for DynamoDB tables?

No, it's not possible. The IAM policy you have in your question would restrict users from making specific queries against that attribute, but it would not prevent that attribute from being returned in the query response.

If you want users to see data in your DynamoDB table, but restrict what attributes they have access to, you can't give them access to the AWS console. You would have to build a custom UI for that.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.