I need to run a migration procedure which changes the form of the data in a DynamoDb table. I want to prevent writes from other processes whilst the migration takes place. Can I achieve this without temporarily modifying any IAM policy which allows writes to the table?
You can, by adding an explicit deny resource policy to the table itself.
{
"Effect": "Deny",
"Principal": {
"AWS": [
"123456789012"
]
},
"Action": "dynamodb:PutItem",
"Resource": "*"
}
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html