My use case is I want to collect some data from my mobile application. A record should be written every time the app is used.
Mainly, I am unsure whether to use Public, Protected, or Private. I don't want any users to have read access, but they need write access in order to send the data to my table. Private seems to make sense, but then that limits the primary key to 'userId', and won't that make it so each end user can only have a single record in DynamoDB?
You could also start with "public" permissions on a DynamoDB NoSQL table created in AWS Mobile Hub, and then edit the authorization policies to remove the "read" operations (i.e., Get, Scan, Query) from the auth and unauth user NoSQL policies. This would give you a DynamoDB table, directly accessible from the Mobile App, but in a write-only mode.
To get to your authorization policies in AWS Mobile Hub, click on the "Resources" button in the left navigation panel, then scroll to "AWS Identity and Access Management Roles." The ...unauth... role is for unauthenticated users. The ...auth... role is for users who are signed-in to the app. Click on the role, click on the ...nosqldatabase... policy, and modify the "action" section(s) to only contain...
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
Firstly, consider why you are gathering the data. You may be better off with a mobile analytics platform. Since you are on AWS, take a look at Amazon Pinpoint or AWS Mobile Hub.
If you actually want to push the activities into the cloud, then I suggest implementing an AWS Lambda that your mobile app calls with a JSON blob. That blob will then be validated and injected into DynamoDb by the Lambda. This way, you gain the "read-only" protection (since only the Lambda is exposed to your client) and you are also able to collect whatever JSON blob you need, plus protect yourself from malicious actors.
