as per documentation in order for the transactor to work with dynamo-db, we should allow dynamodb:*, this is generally discouraged, we would need to migrate to a list of policies instead
does anyone have any list they already use ?
@jaret can you help with this ?
Cross posting here an answer I gave Bogdan via the support portal.
We use * wildcard so that the policies on transactors will work if we support new actions in the future without breaking users. Its certainly an anti-pattern that we are discussing how we could document more clearly for folks concerned with restricting and following security best practices. The gist is the transactor needs what is currently documented for Peer + PutItem and DeleteItem.
{"Statement":
[{"Effect":"Allow",
"Action": ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:DeleteItem"],
"Resource":
"arn:aws:dynamodb:*:<AWS-ACCOUNT-ID>:table/<TABLE-NAME>"}]}