DynamoDB table provisioning needs to consider Identity and Access Management to authorize the required access in order to allow database operators to perform their work. This is one of the first benefits of leveraging DynamoDB and that is a consolidated access management controls using identity and access management which is common for the rest of the AWS services and deployments. You can use administrator access for testing and experiments. 

However, for production workloads, it is important that you consider the best practice of applying the principle of least privilege and attribute the required access controls accordingly. A number of AWS-managed policies are available for DynamoDB including; full access, read only access, and Lambda invocation policies. The important detail to keep in mind is that in terms of operations, you want to provision access controls for individual tables or specific actions on set tables and sometimes even access to specific items and attributes exclusively.

The idea is to protect your data at all times and to provide the least amount of access required to perform a specific task. The example shown uses the identity and access management condition element to implement a fine-grain access control policy, allowing access to the music table items to a specific user ID. The condition element in this policy uses condition keys that are specific to DynamoDB policies and permissions. The DynamoDB leading keys condition allows users to access only items that match their user ID. The user ID in this case is identified by a substitution variable of the form ${www.amazon.com:user_id}. Please note that in this case, we're talking about one of your application users and not an AWS account user. Also, when using the leading keys in a condition statement, you must use therefore all values modifier as shown on the screen. The DynamoDB attributes conditions limits access to the specified attributes.

It represents a list of attribute names in a request or the attributes that can be returned from a request. Finally, adding the StringEqualsIfExists condition ensures that the application always provides a list of specific attributes to use and cannot request all the attributes in a table. The principle at work here is that if any of the condition elements evaluates to false, the entire policy evaluates to false as well and access is denied. Please make sure to examine the AWS documentation for specifying conditions in DynamoDB policies as the possibilities available are extensive. You can use the QR code shown on the screen to get to the documentation quickly.