If you want to set up a separate IAM user for Dynamic DynamoDB, then you need to grant the user the following privileges:
cloudwatch:GetMetricStatistics
dynamodb:DescribeTable
dynamodb:ListTables
dynamodb:UpdateTable
sns:Publish
(used by the SNS notifications feature)
Here's an example IAM policy. Please make sure you update the ARNs according to your needs.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:UpdateTable", "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": [ "arn:aws:sns:*::dynamic-dynamodb" ] } ] }