My use case is I want to collect some data from my mobile application. A record should be written every time the app is used.
Mainly, I am unsure whether to use Public, Protected, or Private. I don't want any users to have read access, but they need write access in order to send the data to my table. Private seems to make sense, but then that limits the primary key to 'userId', and won't that make it so each end user can only have a single record in DynamoDB?
You could also start with "public" permissions on a DynamoDB NoSQL table created in AWS Mobile Hub, and then edit the authorization policies to remove the "read" operations (i.e., Get, Scan, Query) from the auth and unauth user NoSQL policies. This would give you a DynamoDB table, directly accessible from the Mobile App, but in a write-only mode.
To get to your authorization policies in AWS Mobile Hub, click on the "Resources" button in the left navigation panel, then scroll to "AWS Identity and Access Management Roles." The ...unauth... role is for unauthenticated users. The ...auth... role is for users who are signed-in to the app. Click on the role, click on the ...nosqldatabase... policy, and modify the "action" section(s) to only contain...
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],