I am using Amplify, AppSync, GraphQL, and DynamoDB in a chat-project.
My aim is to build a chat-app similar to facebook-messenger.
Is there a way to create access rules to certain DynamoDB documents (similar to Firestore Rules in Firebase)?.
In other words, is is possible to only show certain documents to certain users in a safe and secure way?
This topic arises from time-to-time, and it's important to realize that security can (and likely should) happen in different layers of your application.
When working in AWS, it's important you understand Identity and Access Management(IAM). IAM is what AWS uses to define access policies to resources throughout the AWS ecosystem.
IAM is extremely powerful, and can even be used to define which DynamoDB partition each of your users has access to! This may seem like the solution to your problem. However, it's unlikely your applications users are accessing DynamoDB directly. Instead, they are invoking an API, which executes a Lambda using a different IAM role than your user. So, what do you do?
Remember when I said security should happen at different layers of your application? Well, this is one of those times! Your application code should make decisions based on who is accessing the application and take appropriate action to allow/deny that access.
For example, your application might decide that users can only message people they are friends with. This is not something IAM is going to help you with. Instead, you need to implement the logic to enforce this business rule directly in your application code.
The moral of the story here is that there is no built-in mechanism to enforce all types of business rules your application may have.
If you are using Amplify, you should start by looking into Cognito for Auth. Cognito will help you set up permissions for users of your application using IAM roles (e.g. unauthenticated, authenticated, administrators, etc). These roles will let you define different IAM policies that grant your users a variety of permissions (e.g. access to API Gateway endpoints, specific S3 buckets and DynamoDB tables, etc).