You can perform authentication using the IAM user or you can use a specific IAM role. Once they're authenticated, the authorization is controlled and the IAM policy is assigned to that specific user or role. What I recommend is that, when creating these policies for DynamoDB, you lock them down as much as possible, which means avoiding read and write access to all of the tables and DynamoDB. It's better to use a specific name for specific tables.