Restricting DynamoDB table access at the root level - isgaur/AWS-BigData-Solutions GitHub Wiki

You can effectively restrict the Read/Write access to the table by applying a Service Control Policy (SCP) [1] at the root level of your organisation to block access to that table, such as the example below:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
                    "dynamodb:BatchGet*",
                    "dynamodb:DescribeStream",
                    "dynamodb:DescribeTable",
                    "dynamodb:Get*",
                    "dynamodb:Query",
                    "dynamodb:Scan",
                    "dynamodb:BatchWrite*",
                    "dynamodb:CreateTable",
                    "dynamodb:Delete*",
                    "dynamodb:Update*",
                    "dynamodb:PutItem"
                ],
                "Resource": "arn:aws:dynamodb:*:*:table/MyTable" 
        }
      ]
    }

Doing so, no account in your organization can perform any of the DynamoDB actions even if they have an IAM policy with an explicit allow, due to IAM’s policy evaluation logic [2]

Reference Documentation:

[1] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html