How do I resolve access denied issues when I export from DynamoDB to Amazon S3?

4 minute read

When I export Amazon DynamoDB table data into an Amazon Simple Storage Solution (Amazon S3), I get an "Access denied" error.

Short description

If you get an AccessDenied error when you export, then your AWS Identity and Access Management (IAM) entity might not have the correct permissions. To export DynamoDB table data from a point within your point-in-time recovery (PITR) window, use DynamoDB export to S3. You can use this feature for AWS accounts that use either of the following data protection methods:

Advanced Encryption Standard (AES)
AWS Key Management Service (AWS KMS) customer managed keys

Resolution

Note: Run all AWS Command Line Interface (AWS CLI) commands from the account where the DynamoDB table is located. If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Prerequisites:

Complete the prerequisites to request a table export in DynamoDB.
Review your bucket policies for explicit deny actions. In the following example use cases, the bucket policies can't have any explicit deny actions.

AES

To export DynamoDB table data to an Amazon S3 bucket in the same account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <S3 bucket name> \
  --export-format <Export format> \
  --s3-sse-algorithm AES256

To export DynamoDB table data to an Amazon S3 bucket in a different account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <Cross account S3 bucket name> \
  --s3-bucket-owner <Cross account ID> \
  --export-format <Export format> \
  --s3-sse-algorithm AES256

AWS KMS customer managed key

For accounts that use an AWS KMS customer managed key, update the AWS KMS customer managed key policy. The key policy must allow the IAM entity to access the AWS KMS key.
Example policy:

{
   "Version": "2012-10-17",
   "Id": "key-consolepolicy-3",
   "Statement": [
      {
         "Sid": "Enable IAM User Permissions",
         "Effect": "Allow",
         "Principal": {
               "AWS": "arn:aws:iam::<Account ID>:root"
         },
         "Action": "kms:*",
         "Resource": "*"
      }
   ]
}

Also, the IAM entity must have permissions to access the AWS KMS key that's used to perform the export.

Example AWS KMS key permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "<Provide KMS key ARN>"
    }
  ]
}

To use an AWS KMS customer managed key to export to an S3 bucket within the same account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <S3 bucket name> \
  --export-format <Export format> \
  --s3-sse-algorithm KMS \
  --s3-sse-kms-key-id <KMS key ARN>

To use an AWS KMS customer managed key to export to an S3 bucket in different account, run the following command:

aws dynamodb export-table-to-point-in-time \
  --table-arn <Table ARN> \
  --s3-bucket <Cross account S3 bucket name> \
  --s3-bucket-owner <Cross account ID> \
  --export-format <Export format> \
  --s3-sse-algorithm KMS \
  --s3-sse-kms-key-id <KMS key ARN>

To access exported table data for users in different accounts, update the AWS KMS key policy in the DynamoDB source account. To access exported objects, the AWS KMS key policy must grant the user permission to use the kms:Decrypt command.

Example AWS KMS key policy:

{
  "Sid": "Enable cross account IAM User Permissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "<Provide ARN of destination account user>"
  },
  "Action": "kms:",
  "Resource": "*"
}

Additional troubleshooting

After you verify all permissions, if you still get the AccessDenied error message, then check if your organization has service control policies (SCPs). If your organization has SCPs, then detach or update the policy.

Related information

Requesting a table export in DynamoDB

How do I provide cross-account access to objects that are in Amazon S3 buckets?

Cross-account replication with Amazon DynamoDB

Why do cross-account users receive Access Denied errors when they try to access my S3 objects that I encrypted with an AWS KMS customer managed key?

AWS JSON policy elements: Principal

Topics

Database

Relevant content

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
AWS-User-7725407
asked 2 years ago
An error occurred (AccessDenied) when calling the PutBucketPolicy operation: Access Denied
rePost-User-5008335
asked a year ago
How do I delete an export task from Cloudwatch to S3?
Tony
asked 3 months ago
VM Export: An error occurred (Invalid Parameter) when calling the ExportImage operation: Access denied to the bucket
Vector-t13
asked 2 years ago
Access denied when trying to import RDS exported snapshots
Alien2150
asked 4 years ago
How can I resolve issues exporting Amazon Aurora snapshots to Amazon S3?
AWS OFFICIALUpdated a year ago
How do I resolve "Access Denied" permission errors when I run a query in Amazon Athena?
AWS OFFICIALUpdated 5 months ago
Why do I receive an Access Denied error when I try to access Amazon S3 using an AWS SDK?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot the error AccessDeniedException when I access an Amazon DynamoDB table?
AWS OFFICIALUpdated 15 days ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published a year ago