Within User Pool you can create Groups including specific policy. Each group can have assigned users. First of all you have to create new Role assigned to user group and new Policy assigned to the Role.
Click Service and in search field enter IAM (Identity and Access Management.
On IAM screen click Policies and then Create policy button.
Here you can define the policy via Visual editor or directly by writing JSON. Stay in Visual editor, click Service and select DynamoDB.
Under Actions select Read and then Query and Scan items. This will allow to your users read DynamoDB entries.
Then under Resources select ‘All resources’ which will allow to enter all DynamoDB tables. Later on you can specify table or even it’s entry.
Then click Review Policy.
On next screen specify Name, Description and click Create policy.
Now you are informed that policy has been created.
In IAM console click Roles in left menu and then Create role button.
On next screen select Web identity, then select Identity Provider as ‘Amazon Cognito’ and enter Identity Pool ID and click Next: Permissions.
Identity Pool ID you can get from Cognito. Open new window, go here: https://eu-central-1.console.aws.amazon.com/cognito/federated and click your identity pool. Then on Dashboard of your pool click Edit identity pool and you can see it.
Back in role creating – on next screen enter to the search field name of your policy as you have done above and check selection box near it. Then press Next: Tag button and then Next: Review button.
Then enter Role name and Role description items. Click Create role.
Congratulation, your role has been created and you should see it in the list of roles.
Create User Groups
In AWS console and click Services and enter Cognito to search field.
On Cognito page select Manage User Pools and then select your User Pool. More about creating user pool is here http://220.127.116.11/2019/09/18/how-to-create-cognito-user-and-identity-pools/
Click Users and groups on the left and Groups tab. Then press Create group button.
Specify Name and Description of the new group. Then open IAM role item and select your role created previously.
Click Create group.
Now you can see your new group in list of groups. This group has rights specified in Policy of attached role. If you need extend or limit access rights, simply edit policy.
In Cognito User pools select Users and groups, then Users tab and click Create user.
On next screen specify parameters as shown in picture and click Create user. Note that password must comply with requirements specified during group creation.
Now you can see this user in the list of users. Click on it username and select Add to group button.
Then simply select the group you would like to assign the user to and click Add to group button. Close dialogue.
Now you can check that user has been properly added to the group. Go to User and groups, select Groups tab and click group name. The user shall to be displayed in the list.