Back to Integrations
AWS DynamoDB logo

AWS DynamoDB Integration

Serverless NoSQL key-value & document store

Automatically discover and classify PII fields in your DynamoDB tables. Because DynamoDB has no fixed schema for non-key attributes, our scanner samples items per table to surface attributes that hold personal data — emails, phone numbers, Aadhaar, UPI IDs, GPS coordinates, and more — and folds them into your DPDP data map.

Book a callView Documentation

Prerequisites

AWS Account

  • An AWS account with DynamoDB tables in at least one region
  • Ability to create an IAM user (or assume role) with programmatic access
  • The AWS region your tables live in (e.g. ap-south-1)

IAM User Setup

Create a dedicated IAM user with read-only DynamoDB access:

  1. 1AWS Console → IAM → Users → Create user (e.g. privacy-labs-scanner)
  2. 2Attach a custom inline policy with only the actions shown below — do not attach AmazonDynamoDBFullAccess
  3. 3User → Security credentials → Create access key → Application running outside AWS
  4. 4Copy the Access Key ID and Secret Access Key — you'll paste them into Privacy Labs

Minimum IAM Policy

Paste this as an inline policy on the scanner user. Replace REGION and ACCOUNT_ID (or use * for all tables in the region):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:Scan"
      ],
      "Resource": "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/*"
    }
  ]
}

Required

  • dynamodb:ListTables
  • dynamodb:DescribeTable
  • dynamodb:Scan

Not Required

  • PutItem / UpdateItem / DeleteItem
  • CreateTable / DeleteTable
  • Streams / Backup / Export

Step-by-Step Setup

1

Navigate to Integrations

In your admin dashboard, go to Data Discovery → Integrations and click Add Connection.

2

Select DynamoDB

Choose DynamoDB from the database type dropdown.

3

Enter AWS Region

Paste the region code your tables live in. Examples:

  • ap-south-1 — Mumbai
  • ap-southeast-1 — Singapore
  • us-east-1 — N. Virginia
4

Paste IAM Credentials

Enter the IAM user's Access Key ID and Secret Access Key from the previous section. Both are encrypted with AES-256 before storage.

5

Optional: Table Prefix Filter

Leave the prefix as * to scan every table in the region, or enter a prefix (e.g. prod-users-) to limit scope.

6

Test & Save

Click Test Connection — we'll do a tiny ListTables call to verify credentials, then Save.

7

Run Discovery Scan

Go to Data Discovery → Run Discovery and start the scan.

What We Scan vs. What We Don't

What We Scan

  • Table names and approximate item counts
  • Key schema (partition + sort key attributes)
  • Up to 100 items per table to discover non-key attribute names and types
  • Nested maps and lists — embedded PII is detected too

What We Never Touch

  • No full-table exports — sampling is bounded by item limit
  • No write, update, or delete calls — read-only by design
  • No Streams, backups, or PITR exports
  • Sample values are classified, not persisted

Cost note: DynamoDB charges read-capacity units for Scan operations. Our discovery samples up to 100 items per table (and a small overscan per attribute when fetching sample values), so per-table cost is bounded — but for very large tables on provisioned capacity, schedule discovery during off-peak hours. On-demand tables: scanning a 100-item sample typically costs fractions of a cent per table.

Security

Encrypted Credentials

Access keys are encrypted at rest with AES-256.

Signed AWS Requests

All calls go over HTTPS, signed with AWS SigV4.

Least-Privilege IAM

Only three read actions — no write, no admin.

Audit Logged

Every scan is logged and visible in CloudTrail too.

Ready to Scan Your DynamoDB Tables?

Connect in under 5 minutes and discover PII in serverless NoSQL tables automatically.

Book a call