Unable to use DynamoDB update API with signed/encrypted records

Hi, we are unable to use DynamoDB's update API because our records are encrypted and signed. To maintain a valid encryption signature, our service has to first GET the record from DynamoDB, update it, then PUT it back. We are using client side encryption.

From AWS docs:

Because your DynamoDB Mapper is configured to use the PUT save behavior, the item replaces any item with the same primary keys, instead of updating it. This ensures that the signatures match and you can decrypt the item when you get it from the table.

This opens up our application to race conditions, I.E. the record could be updated by another process sometime between the GET and PUT. We have looked into other solutions for this, such as using a conditional expression or version attribute that would throw a ConditionalCheckFailedException if the record has been modified by another process and retrying. There are disadvantages to this -- for example if we have a lot of processes accessing the same record in a small amount of time, there could be a lot of retries and overall latency increase.

Is there some way to use DynamoDB's update API on a record with encrypted and signed attributes?