fix(dynamodb): throw error when grantee is an unsupported ServicePrincipal

[kumsmrit]

Issue # (if applicable)

Closes #37273.

Reason for this change

After v2.222.0, calling table.grantReadWriteData(new ServicePrincipal(...)) started generating DynamoDB resource-based policies containing service principals. This is a regression caused by the combination of #35554 (which fixed addToResourcePolicy to actually take effect) and #35817 (which enabled the grant framework to automatically discover DynamoDB resource policies). Previously, addToResourcePolicy was a no-op, so the grant silently did nothing.

For unsupported service principals (e.g. myservice.amazonaws.com), this produces an invalid resource policy that fails at CloudFormation deploy time with: "Invalid policy document: Policy contains invalid service principal".

However, DynamoDB does support specific service principals in resource policies:

• redshift.amazonaws.com — Redshift zero-ETL integration
• replication.dynamodb.amazonaws.com — Multi-account global tables
• glue.amazonaws.com — SageMaker Lakehouse zero-ETL via AWS Glue

Description of changes

1. Throw ValidationError for unsupported service principals — Grant methods (grant, grantReadData, grantWriteData, grantReadWriteData, grantFullAccess) on both Table and TableV2 now detect ServicePrincipal grantees and throw a ValidationError at synth time, directing users to table.addToResourcePolicy() instead. This fails fast rather than producing an invalid template that fails at deploy time.

2. Allowlist known-valid service principals — Added KNOWN_DYNAMODB_SERVICE_PRINCIPALS allowlist in private/principal-utils.ts containing the three documented service principals. The new isUnsupportedServicePrincipal() function walks the principal wrapper chain (handling PrincipalWithConditions, SessionTagsPrincipal, etc.) to extract the service name and check it against the allowlist. Allowlisted principals pass through grant* methods normally.

3. Integration test — Added integ.dynamodb.grant-service-principal verifying the three allowlisted principals produce correct resource policies in the synthesized CloudFormation template.

Describe any new or updated permissions being added

No new or updated IAM permissions. This change prevents invalid IAM resource policy statements from being generated for unsupported service principals, while allowing valid ones through.

Description of how you validated changes

• Unit tests: dynamodb.test.ts (186 passing), table-v2.test.ts (135 passing)
  • Unsupported principals (bedrock.amazonaws.com, lambda.amazonaws.com) throw ValidationError
  • Allowlisted principals (redshift, replication.dynamodb, glue) succeed
  • Wrapped principals (via .withConditions()) handled correctly for both cases
• Integration test: integ.dynamodb.grant-service-principal deployed successfully with snapshot containing resource policy statements for all three allowlisted principals

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	48 ran	47 passed		1 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.grant-service-principal.js.snapshot/grant-service-principal-test-stack.template.json
resource-policy-root-principal-needs-conditions.guard	❌ failure

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	48 ran	47 passed		1 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.grant-service-principal.js.snapshot/grant-service-principal-test-stack.template.json
resource-policy-root-principal-needs-conditions.guard	❌ failure

• View Security Guardian Results with resolved templates

[mrgrain]

Kinda sounds like that SPs are never allowed here, but elsewhere you have stated at a small limited list of SPs is actually allowed. I don't think we should drop all SPs, but have a allow list.

[kumsmrit]

Yes, there are few SPs documented for DynamoDB resource policies, but they are integration-specific and require their own actions/conditions (e.g. replication.dynamodb.amazonaws.com). The generic grant* methods add standard data actions (dynamodb:GetItem, dynamodb:PutItem, etc.), which are not the right action set for those service-principal resource policies.
So even if we had an allowlist of permitted SPs, the actions being granted by grant* methods could produce incorrect resource policy which might not fail deployment, but it could still be functionally incorrect.

Because of that, I think the right path for SPs is the explicit addToResourcePolicy API, where the caller can provide the correct integration-specific principal, actions, and conditions.

[aws-cdk-automation]

(This review is outdated)

[Abogical]

Snapshot deployment passed: https://github.com/aws/aws-cdk/actions/runs/23655284133/job/68910779532?pr=37335

Removing label.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-28 07:35 UTC · Rule: default-squash
• ✅ Checks passed · in-place
• ✅ Merged — 2026-03-28 08:28 UTC · at 6fd29d49348fb170f81ad0ce1e473886d8f2e914

This pull request spent 52 minutes 18 seconds in the queue, including 52 minutes 10 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • fix(dynamodb): throw error when grantee is an unsupported ServicePrincipal #37335
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • fix(dynamodb): throw error when grantee is an unsupported ServicePrincipal #37335
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.