Restricting Access to S3Guard Tables

You must set permission to restrict access to S3Guard tables.

To restricting access to S3Guard tables, here are the permissions needed for simply using the table:

dynamodb:BatchGetItem
dynamodb:BatchWriteItem
dynamodb:DeleteItem
dynamodb:DescribeTable
dynamodb:GetItem
dynamodb:PutItem
dynamodb:Query
dynamodb:UpdateItem

For the hadoop s3guard table management commands, extra permissions are required:

dynamodb:CreateTable
dynamodb:DescribeLimits
dynamodb:DeleteTable
dynamodb:Scan
dynamodb:TagResource
dynamodb:UntagResource
dynamodb:UpdateTable

It is best to remove these rights, especially the dynamodb:CreateTable dynamodb:DeleteTable permissons from non-administrators.