Status: IN
An unconditional Allow in an identity-based policy overrides conditional Allow statements in a DynamoDB resource-based policy — use explicit Deny instead of conditional Allow to enforce restrictions like attribute-level access.
Source: entries/2026/03/11/amazondynamodb-latest-developerguide-rbac-auth-iam-id-based-policies-DDBhtml.md