DynamoDB table resource-based policy does not allow cross-account access
dynamodb_table_cross_account_access
DynamoDB tables are evaluated for resource-based policies that permit cross-account or public principals.
Tables without a resource policy, or with policies restricted to the same account, are identified as isolated configurations.
Risk
Allowing other accounts to access a table affects:
- Confidentiality: unauthorized reads/data exfiltration
- Integrity: writes or deletes by external principals
- Availability: capacity exhaustion and throttling
- Cost: owner pays for external requests
If public principals are allowed, exposure can be unrestricted.
Run this check with Prowler CLI
prowler aws --checks dynamodb_table_cross_account_access
Recommendation
Apply least privilege:
- Avoid cross-account data access; if required, allow only named principals
- Constrain with
aws:PrincipalOrgID,aws:SourceVpc,aws:PrincipalArn; addDenyguardrails - Enable Block Public Access and monitor with IAM Access Analyzer
Remediation
CLI
aws dynamodb delete-resource-policy --resource-arn <resource-arn>
Other
- Open the AWS Console and go to DynamoDB > Tables
- Select <example_resource_name> and open the Permissions tab
- In Resource-based policy, click Delete policy and confirm
- Save changes to remove any cross-account access
Source Code
Resource Type
AwsDynamoDbTable
References
- https://support.icompaas.com/support/solutions/articles/62000233614-ensure-dynamodb-tables-should-not-be-accessible-from-other-aws-accounts
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-bpa-rbp.html