相关疑难解决方法(0)

我是AWS的IAM新手.并且,我希望将对各种用户的查询限制为仅主键与cognito id匹配的表条目.为实现这一目标,我制定了政策:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-east-1:XXXXXXXXXXX:table/User"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:sub}"
                ]
            }
        }
    }
]

}

但是,当我使用Postman查询表时,如下所示:

我收到以下错误:

"__type": "com.amazon.coral.service#AccessDeniedException",


"Message": "User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Achintest/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:XXXXXXXXXXXXX:table/User"

有人可以让我知道我在做什么错吗？

========更新========

我尝试使用策略sim,我无法理解为什么不允许如下图所示的没有LeadingKey的Query.

当我提供领先钥匙时,它表示否认.见下图: