diff --git a/cloud/aws/deploy/policy.go b/cloud/aws/deploy/policy.go
index efa196fc6..36ad1df0c 100644
--- a/cloud/aws/deploy/policy.go
+++ b/cloud/aws/deploy/policy.go
@@ -58,6 +58,7 @@ var awsActionsMap map[resourcespb.Action][]string = map[resourcespb.Action][]str
 	resourcespb.Action_KeyValueStoreRead: {
 		"dynamodb:GetItem",
 		"dynamodb:BatchGetItem",
+		"dynamodb:Scan", // required to scan keys
 	},
 	resourcespb.Action_KeyValueStoreWrite: {
 		"dynamodb:UpdateItem",