Public access to DynamoDB

Yes, you are supposed to be able to list your DynamoDB table by default. When you create a DynamoDB table without explicitly attaching a resource-based policy, access to the table is controlled by identity-based policies (IAM policies) attached to your user, role, or group.

By default, the AWS account that creates a DynamoDB table has access to that table through the IAM permissions of the creator. This is why you were able to list the table you created.

DynamoDB's Block Public Access (BPA) feature specifically prevents the attachment of resource-based policies that would grant public access to DynamoDB tables, indexes, or streams across AWS accounts. It doesn't prevent authorized users within your account from accessing tables they have permission to use.

If you want to restrict access to your table, you can:

1. Attach a resource-based policy to the table that explicitly defines who can access it
2. Use identity-based policies to control which actions users can perform on specific tables
3. Implement attribute-based access control using tags to manage permissions at scale

Without any explicit restrictions, your ability to list the table is the expected behavior based on your IAM permissions.
Sources
Blocking public access with resource-based policies in DynamoDB - Amazon DynamoDB
Amazon DynamoDB: Allows access to a specific table - AWS Identity and Access Management
Attach a policy to an DynamoDB existing table - Amazon DynamoDB

Based on my experience working with DynamoDB, when you create a table, by default, it doesn't attach a resource-based policy unless you explicitly configure one. However, even without a resource-based policy, IAM identity-based policies (like the ones attached to your user or role) still control access.

So, if you're able to list the table, it likely means that your current IAM role or user has the necessary permissions, such as dynamodb:ListTables or dynamodb:DescribeTable. These permissions are not controlled by the table's resource policy but by what’s granted to your identity in the AWS account.

It's also important to note that DynamoDB is not publicly accessible over the internet in the way that, say, an S3 bucket might be. All access must go through AWS-authenticated channels, so even if you test “public access,” it still requires valid credentials unless explicitly exposed through something like an API Gateway with misconfigured permissions.

In short, yes, you can list the table if your IAM user/role has the right permissions, even without a resource-based policy. That behavior is expected.