Exposure Scanner Scan My Account
Exposure Scanner / Amazon DynamoDB

DynamoDB Exposure

Are your DynamoDB tables accessible through overly permissive IAM policies?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
High
prod-user-sessions
IAM role with cross-account trust has dynamodb:* permissions on all tables (Resource: "*")
High
order-history-table
DynamoDB table uses default AWS-managed encryption instead of customer-managed KMS key
Medium
analytics-events-table
DynamoDB table does not have point-in-time recovery enabled

What does Amazon DynamoDB public exposure mean?

DynamoDB doesn't have resource-based policies, but overly permissive IAM policies can effectively make tables publicly accessible. IAM roles with broad DynamoDB permissions that can be assumed cross-account create indirect exposure.

Why it matters

DynamoDB tables often store application state, user data, and session information. Broad IAM access combined with cross-account role assumption can expose this data to unauthorized parties.

How to check manually

  1. 1Review IAM policies for overly broad dynamodb:* permissions
  2. 2Check for roles with DynamoDB access that have permissive trust policies
  3. 3Verify table encryption uses customer-managed keys
  4. 4Enable DynamoDB Streams for audit logging

Quick check with AWS CLI

List DynamoDB tables and check encryption settings
aws dynamodb list-tables --query "TableNames" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.{Name:TableName,SSEDescription:SSEDescription,PITR:PointInTimeRecoveryDescription}"
Check point-in-time recovery status for a table
aws dynamodb describe-continuous-backups --table-name YOUR_TABLE_NAME --query "ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus"
Find IAM policies with broad DynamoDB access
aws iam list-policies --scope Local --query "Policies[].Arn" --output text | xargs -I {} aws iam get-policy-version --policy-arn {} --version-id v1 --query "PolicyVersion.Document" 2>/dev/null | grep -l "dynamodb:\*"

Common misconfigurations

IAM policy granting dynamodb:* on Resource: "*"
No point-in-time recovery enabled
Tables using default AWS-managed encryption instead of CMK
Missing CloudTrail data event logging for DynamoDB

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

AWS IAM
Are your IAM policies granting access more broadly than intended?
AWS KMS
Are your encryption keys accessible from outside your account?
AWS Lambda
Are your Lambda functions invocable from outside your account?