Can I specify an AWS DynamoDB policy based on Cognito ID?

Question

Can I apply a policy to an AWS DynamoDB table but restrict it based on the Cognito ID of the user accessing it?

E.g. A Customer table has a primary hash key equal to the

Answer 1

You should be able to do something like this using the same techniques as those for using an ID Provider. You should use the Cognito identifier as the key in the policy:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
        "dynamodb:DeleteItem",
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": ["arn:aws:dynamodb:REGION:123456789012:table/UserData"],
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]}
    }
  }]
}