Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Amazon DynamoDB

The Amazon DynamoDB connector inventories tables, capacity settings, indexes, and related resources for compliance mapping. Iru assumes an IAM role in your account (sts:AssumeRole + external ID) and does not bulk-export item payloads as evidence - focus stays on configuration and inventory APIs.

How it works

Use AmazonDynamoDBReadOnlyAccess, or the inline policy below if you want explicit actions (includes PartiQLSelect / Query / Scan read paths present in the managed policy set - align with your security review).
DetailValue
CategoryDatabases
AuthenticationCross-account IAM role
References: AmazonDynamoDBReadOnlyAccess, Security and IAM.

Prerequisites

  • IAM rights to create roles and inline policies.
  • Connector principal and external ID from Iru.

Connect AWS DynamoDB to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS DynamoDB

Find AWS DynamoDB (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Attach DynamoDB read permissions

Attach AmazonDynamoDBReadOnlyAccess, or attach this inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:BatchGetItem",
        "dynamodb:Describe*",
        "dynamodb:Get*",
        "dynamodb:List*",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.
5

Verify the trust relationship

Validate Trust relationships against the wizard JSON.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS DynamoDB shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
External ID mismatch.
Tables live in specific Regions - ensure the role’s account matches asset ownership.
Managed policy includes DAX reads; custom policies may need dax:Describe* / dax:List*.

Considerations

Global tables and related resources may appear per replica Region.

Global tables and related resources may appear per replica Region.

Scope IAM to what audits truly need: narrower…

Scope IAM to what audits truly need - narrower policies reduce accidental data-plane reads.

See also