Lambda and DynamoDB is not authorized to perform dynamodbScan
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The error is not authorized to perform: dynamodb:Scan means the Lambda function's execution role does not have permission to call the Scan action on the target table or index. The fix is almost always in IAM, not in the Lambda code. You need to identify the role actually used by the function and attach a policy that allows the correct DynamoDB resource ARN.
Why This Happens
AWS Lambda runs with an execution role. Every DynamoDB API call made by the function is evaluated against that role's IAM policies. If the role does not explicitly allow dynamodb:Scan, the call fails.
A common mistake is assuming broad DynamoDB access exists because the function can do some other operations such as GetItem or PutItem. IAM actions are specific. Permission for GetItem does not imply permission for Scan.
What Permission Is Required
For a table scan, the role needs at least this action on the table ARN:
- '
dynamodb:Scan'
If the code scans a secondary index, the role also needs access to the index ARN pattern.
Example IAM policy:
That is enough for scanning the Users table and any of its indexes in the specified account and region.
A Minimal Lambda Example
If that function throws the authorization error, the first thing to verify is the function's execution role in the Lambda console or through the CLI.
How to Verify the Role and Policy
Use the AWS CLI to inspect the function configuration:
Then inspect the policies attached to that role and look specifically for dynamodb:Scan plus the correct resource ARN.
Problems usually fall into one of these categories:
- the role has no DynamoDB policy at all
- the policy allows
GetItemorQuerybut notScan - the resource ARN points to the wrong table name
- the ARN uses the wrong region or account id
- the code scans an index but the policy covers only the table ARN
Why Scan Is Special Enough to Notice
Many teams avoid Scan in production because it reads every item in the table or index segment being scanned. That is expensive and can cause performance problems compared with Query, which reads a targeted key range.
So the error sometimes appears after a code change where a developer replaces a query with a full-table scan for convenience. IAM then blocks it because the role was scoped more narrowly.
If you really need Scan, grant it intentionally. If not, consider whether Query is the better design.
Least-Privilege Version
If this Lambda should only read one specific table, keep the policy narrow.
Avoid "Resource": "*" unless you have a clear operational reason.
Common Pitfalls
The biggest mistake is updating the wrong IAM role. Lambda only uses the execution role configured on that function, not a random IAM user or a similarly named role.
Another mistake is granting access to the table ARN but forgetting that index scans may require the index ARN pattern too.
A third issue is fixing the permission error while ignoring whether Scan is the right operation. If the code should be selective, switching to Query is often better than broadening the role.
Summary
- The error means the Lambda execution role lacks
dynamodb:Scanon the required resource - Check the function's actual execution role before changing IAM policies
- Grant
dynamodb:Scanon the specific table ARN, and index ARNs if needed - Verify the account, region, and table name in the policy resource
- Consider using
Queryinstead ofScanif the access pattern can be modeled more efficiently
