What does "dynamodb:*Reserved*" do?
This permission is under a deny block. I'm trying to figure out what exactly the reserved is doing here.
Solution 1:
It refers to Amazon DynamoDB reserved capacity. With it you pay a one-time, upfront fee and commit to paying for a minimum usage level at significant savings over a period of time.
So basically the policy deny IAM actions corresponding to dynamodb that includes 'Reserved' in its name. These actions are:
-
dynamodb:DescribeReservedCapacity. Returns the reserved capacity purchases that are currently in effect.
-
dynamodb:DescribeReservedCapacityOfferings. Returns details about the reserved capacity plans that are currently offered by AWS.
-
dynamodb:PurchaseReservedCapacityOfferings. Performs an actual purchase of reserved capacity.
Reference:
DynamoDB Reserved Capacity
Solution 2:
List of DynamoDB IAM actions
The following actions will be covered under dynamodb:*Reserved*
| Action | Description | Access Level |
|---|---|---|
| DescribeReservedCapacity | Grants permission to describe one or more of the Reserved Capacity purchased | Read |
| DescribeReservedCapacity | Grants permission to describe one or more of the Reserved Capacity purchased | Read |
| PurchaseReservedCapacityOfferings | Grants permission to purchases reserved capacity for use with your account | Write |
* is a wildcard character in IAM policy actions Reference