Partial SAM template and partial Go function code for limiting access to GSIs in IAM

main.go

func (d *dependencies) handler(request events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error) {

	input := dynamodb.QueryInput{
		ExpressionAttributeValues: map[string]*dynamodb.AttributeValue{
			":v1": {
				S: aws.String(request.PathParameters[PathParameter]),
			},
		},
    // hard-coded for proof of concept
		IndexName:              aws.String("SSN-index"),
		KeyConditionExpression: aws.String("SSN = :v1"),
		TableName:              aws.String(d.table),
	}

	output, err := d.ddb.Query(&input)
	if err != nil {
		return events.APIGatewayProxyResponse{}, err
	}

  // Hard-coded just for proof of concept
	body, err := json.Marshal(output.Items[0])
	if err != nil {
		return events.APIGatewayProxyResponse{}, err
	}

	return events.APIGatewayProxyResponse{
		Body:       string(body),
		StatusCode: 200,
	}, nil
}

template.yaml

Resources:
  CustomerBySSN:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: customer-by-ssn/
      Handler: customer-by-ssn
      Events:
        CatchAll:
          Type: HttpApi
          Properties:
            Path: /customer/ssn/{ssn}
            Method: GET
      Policies:
        - Statement:
          - Effect: Allow
            Action:
              - dynamodb:Query
            # Below is hard-coded for expediency but should be defined as a parameter
            Resource: !Sub ${AppTable.Arn}/index/SSN-index
            Condition:
              ForAllValues:StringLike:
                dynamodb:LeadingKeys:
                  # Again, hard-coded for testing but use a parameter
                  - "44*"
          Version: '2012-10-17'