How do I resolve access denied issues when I export from DynamoDB to Amazon S3?

4 minute read
2

When I export Amazon DynamoDB table data into an Amazon Simple Storage Solution (Amazon S3), I get an "Access denied" error.

Short description

If you get an AccessDenied error when you export, then your AWS Identity and Access Management (IAM) entity might not have the correct permissions. To export DynamoDB table data from a point within your point-in-time recovery (PITR) window, use DynamoDB export to S3. You can use this feature for AWS accounts that use either of the following data protection methods:

  • Advanced Encryption Standard (AES)
  • AWS Key Management Service (AWS KMS) customer managed keys

Resolution

Note: Run all AWS Command Line Interface (AWS CLI) commands from the account where the DynamoDB table is located. If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Prerequisites:

AES

To export DynamoDB table data to an Amazon S3 bucket in the same account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <S3 bucket name> \
  --export-format <Export format> \
  --s3-sse-algorithm AES256

To export DynamoDB table data to an Amazon S3 bucket in a different account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <Cross account S3 bucket name> \
  --s3-bucket-owner <Cross account ID> \
  --export-format <Export format> \
  --s3-sse-algorithm AES256

AWS KMS customer managed key

For accounts that use an AWS KMS customer managed key, update the AWS KMS customer managed key policy. The key policy must allow the IAM entity to access the AWS KMS key.
Example policy:

{
   "Version": "2012-10-17",
   "Id": "key-consolepolicy-3",
   "Statement": [
      {
         "Sid": "Enable IAM User Permissions",
         "Effect": "Allow",
         "Principal": {
               "AWS": "arn:aws:iam::<Account ID>:root"
         },
         "Action": "kms:*",
         "Resource": "*"
      }
   ]
}

Also, the IAM entity must have permissions to access the AWS KMS key that's used to perform the export.

Example AWS KMS key permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "<Provide KMS key ARN>"
    }
  ]
}

To use an AWS KMS customer managed key to export to an S3 bucket within the same account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <S3 bucket name> \
  --export-format <Export format> \
  --s3-sse-algorithm KMS \
  --s3-sse-kms-key-id <KMS key ARN>

To use an AWS KMS customer managed key to export to an S3 bucket in different account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <Cross account S3 bucket name> \
  --s3-bucket-owner <Cross account ID> \
  --export-format <Export format> \
  --s3-sse-algorithm KMS \
  --s3-sse-kms-key-id <KMS key ARN>

To access exported table data for users in different accounts, update the AWS KMS key policy in the DynamoDB source account. To access exported objects, the AWS KMS key policy must grant the user permission to use the kms:Decrypt command.

Example AWS KMS key policy:

{
  "Sid": "Enable cross account IAM User Permissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "<Provide ARN of destination account user>"
  },
  "Action": "kms:",
  "Resource": "*"
}

Additional troubleshooting

After you verify all permissions, if you still get the AccessDenied error message, then check if your organization has service control policies (SCPs). If your organization has SCPs, then detach or update the policy.

Related information

Requesting a table export in DynamoDB

How do I provide cross-account access to objects that are in Amazon S3 buckets?

Cross-account replication with Amazon DynamoDB

Why do cross-account users receive Access Denied errors when they try to access my S3 objects that I encrypted with an AWS KMS customer managed key?

AWS JSON policy elements: Principal

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago