How can the organization achieve this?
Define the group policy and add a condition which allows the access based on the IAM name
Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
Explanations:
IAM policies can be written with conditions, but using IAM name as a condition would not dynamically map to specific DynamoDB tables. The policy cannot reliably map to each user’s specific table based solely on the IAM user name.
This option correctly uses a policy rule where the table name can be dynamically generated based on the IAM user’s name. Using a variable in the ARN allows for the policy to grant access to the table named after the IAM user.
There is no concept of a “separate DynamoDB database” in AWS. DynamoDB is a single database service with tables. Therefore, creating a separate “DynamoDB database” is not feasible.
It is possible to set a group-level policy where the access is dynamically granted based on the IAM user’s name in the ARN, so this statement is incorrect.
I design that the answer is:
Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable