To restricting access to S3Guard tables, here are the permissions needed for simply using the table:

dynamodb:BatchGetItem
dynamodb:BatchWriteItem
dynamodb:DeleteItem
dynamodb:DescribeTable
dynamodb:GetItem
dynamodb:PutItem
dynamodb:Query
dynamodb:UpdateItem

For the hadoop s3guard table management commands, extra permissions are required:

dynamodb:CreateTable
dynamodb:DescribeLimits
dynamodb:DeleteTable
dynamodb:Scan
dynamodb:TagResource
dynamodb:UntagResource
dynamodb:UpdateTable

It is best to remove these rights, especially the dynamodb:CreateTable and dynamodb:DeleteTable permissons from non-administrators.