Using DynamoDB as an Append-Only Database

3 minute read
Content level: Intermediate

Leveraging IAM policies to achieve an append-only database

Amazon DynamoDB is a managed NoSQL database service provided by AWS. While it offers a wide range of capabilities, one interesting use-case is to configure it as an append-only database. This approach ensures that once data is written, it cannot be modified or deleted, thereby preserving the integrity and history of the data.

In this article, we'll walk you through how to set up DynamoDB as an append-only database using AWS IAM policies and demonstrate its behavior.

Setting Up the IAM Policy

To achieve the append-only behavior, we need to create a specific IAM policy that allows only insert and read operations on DynamoDB, while denying update and delete operations.

Here's how you can set up the policy:

POLICY_ARN=`aws iam create-policy \
--policy-name AppendOnlyDynamoDB \
--policy-document '{
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "DynamoDBIndexAndStreamAccess",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
}' \
--output text \
--query Policy.Arn`

Creating a User and Attaching the Policy

Once the policy is created, we'll create a new IAM user and attach the policy to it:

USER_NAME=`aws iam create-user --user-name AppendUser --output text --query User.UserName`

aws iam attach-user-policy --user-name $USER_NAME --policy-arn $POLICY_ARN

Configuring AWS CLI

Next, we'll configure the AWS CLI to use the credentials of the newly created user:

aws iam create-access-key --user-name $USER_NAME

aws configure --profile append-only

Testing the Append-Only Behavior

With everything set up, let's test our append-only configuration:

Inserting Data:

aws dynamodb execute-statement \
--statement "INSERT INTO Music VALUE {'Artist':'Acme Band','SongTitle':'PartiQL Rocks'}" \
--profile append-only

This will insert a new record into the Music table.

Trying to Insert Duplicate Data:

aws dynamodb execute-statement \
--statement "INSERT INTO Music VALUE {'Artist':'Acme Band','SongTitle':'PartiQL Rocks'}" \
--profile append-only

As expected, this will throw a DuplicateItemException since the primary key already exists.

Attempting to Update Data:

aws dynamodb execute-statement \
--statement "UPDATE Music SET AwardsWon=1  \
            SET AwardDetail={'Grammys':[2020, 2018]}  \
            WHERE Artist='Acme Band'" \
--profile append-only

This will result in an AccessDeniedException because our policy doesn't allow update operations.

Trying to Delete Data:

aws dynamodb execute-statement \
--statement "DELETE  FROM Music WHERE Artist='Acme Band'" \
--profile append-only

Similarly, this will also result in an AccessDeniedException due to our policy restrictions.


By carefully crafting IAM policies, you can configure Amazon DynamoDB to act as an append-only database. This ensures that data, once written, remains immutable, providing a reliable historical record of all entries. Whether you're looking to maintain data integrity, comply with regulatory requirements, or simply keep an unalterable history of transactions, this approach offers a robust solution.