Storing sensitive information in dynamodb

I have a requirement to store sensitive information in a dynamodb table. The information is entered in client application which sends data to api gateway which then forwards the data to the table. Cognito users for the client app each have a number of entries with different sensitive data in each.

I want to minimise access to this information for people who are not cognito users, for example I do not want to be able to go to the dynamodb console and access the actual value of the data when I look at the table as a developer. Ideally I would like to have the client app perform some actions so that when the data is sent to aws, it is already not human readable but when the client app gets the data back again it can be made readable again.

Is it possible to hide some columns or a whole table from IAM users but have lambda functions still able to access it? Is it possible to encrypt the data using a kms key such that only the client app or cognito users can access that key to encrypt and decrypt the data clientside?

The current solution is to generate a data key for each item and store it alongside the data so that the data is unreadable and users are not responsible for storing and handling the key. However this only leaves one step of separation between the sensitive data with an IAM user able to decrypt the data using the key and view the data. Is there a better solution than this that doesn't result in cognito users being responsible for remembering the encryption key for their data but also prevents IAM users from taking simple steps to view it?

I have seen the response to this post https://repost.aws/questions/QUtBzzrw0jQmGwmPpkeAQLYw/data-redaction-or-mask-in-dynamodb which is about the same issue.