I’m using federated identities (cognito) for resource permissions and IAM policy conditions for fine-grained access control to my databases https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

I want to make sure that dynamodb:PutItem is not able to overwrite an item if it already exists. I understand how this can be done from caller code but need to enforce it. Caller code:

Preventing Overwrites of an Existing Item

The PutItem operation will overwrite an item with the same key (if it exists). If you want to avoid this, use a condition expression. This will allow the write to proceed only if the item in question does not already have the same key:

aws dynamodb put-item \
   --table-name ProductCatalog \
   --item file://item.json \
   --condition-expression "attribute_not_exists(Id)"

If the condition expression evaluates to false, DynamoDB returns the following error message: The conditional request failed

But I want to enforce this in my CloudFormation IAM Policy, adding a condition. This is what I have to give you a better idea of what I’m talking about (without this check):

- Effect: Allow  # listings created by this identity
  Action:
    - dynamodb:PutItem
  Resource: 
  'arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.variables.dynamodb_listings_table_name}'
 Condition:
    ForAllValues:StringLike:
       dynamodb:LeadingKeys:
           Fn::Join: ['', ['$', '{cognito-identity.amazonaws.com:sub}_*']]