Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 185 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 185
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company's finance team has a data processing application that uses AWS Lambda and Amazon DynamoDB. The company's marketing team wants to access the data that is stored in the DynamoDB table.

The DynamoDB table contains confidential data. The marketing team can have access to only specific attributes of data in the DynamoDB table. The finance team and the marketing team have separate AWS accounts.

What should a solutions architect do to provide the marketing team with the appropriate access to the DynamoDB table?

  • A. Create an SCP to grant the marketing team's AWS account access to the specific attributes of the DynamoDB table. Attach the SCP to the OU of the finance team.
  • B. Create an IAM role in the finance team's account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team's account. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account.
  • C. Create a resource-based IAM policy that includes conditions for specific DynamoDB attributes (fine-grained access control). Attach the policy to the DynamoDB table. In the marketing team's account, create an IAM role that has permissions to access the DynamoDB table in the finance team's account.
  • D. Create an IAM role in the finance team's account to access the DynamoDB table. Use an IAM permissions boundary to limit the access to the specific attributes. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Roontha at May 28, 2023, 3:04 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
andreitugui
Highly Voted 1 year, 3 months ago
Selected Answer: B
Answer is B
upvoted 7 times
...
liuliangzhou
Most Recent 1 week, 5 days ago
Selected Answer: B
I prefer B over C. Attach the policy (specific DynamoDB attributes) to the DynamoDB table. This will result in the finance team's account not being able to fully access DynamoDB.
upvoted 1 times
...
fartosh
3 months, 3 weeks ago
Selected Answer: C
I choose C over B. Both solutions work and are standard approaches for allowing cross-account access. But as compared to S3, option C allows the marketing account to use their usual IAM identities without compromising their permissions. When you assume the role in a different account (option B), you can no longer access resources in your own account. The resource-based policy for the DynamoDB table supports conditions as well: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html#rbac-examples-cross-account
upvoted 2 times
helloworldabc
2 weeks, 6 days ago
just B
upvoted 1 times
kgpoj
2 weeks, 3 days ago
Dude stop generating garbage info for everyone. I've seen you replying a lot of `just X`. If you have a reason for some choice, then write it down. `just x` sounds so dumb and premature.
upvoted 1 times
...
...
...
sse69
4 months ago
Selected Answer: B
Starting march 24', DynamoDB supports resource based policies : https://aws.amazon.com/about-aws/whats-new/2024/03/amazon-dynamodb-resource-based-policies/ So another way to achieve this would be to create an index for the marketing team, and have the policy restrict their role to that particular index. On the one hand the new index would incur more costs, on the other hand, having only certain attributes fetched would mean less read units consumed...
upvoted 2 times
...
yuliaqwerty
9 months ago
B https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_attributes.html
upvoted 3 times
...
career360guru
9 months, 4 weeks ago
Selected Answer: B
Option B as DynamoDB does not support Resource based policies.
upvoted 2 times
erenbiku1
9 months, 1 week ago
Service-linked roles for DynamoDB is not supported Service roles for DynamoDB is supported Identity-based policies for DynamoDB is supported Resource-based policies within DynamoDB is not supported
upvoted 1 times
...
...
AMohanty
1 year ago
For Cross Account permission we attach Resource Policy with Principal identified as incoming Request Account ARN + IAM permissions to query the Finance Account. C seems more of a resonable answer.
upvoted 1 times
chikorita
1 year ago
i dont think C can address the requirement of "he marketing team can have access to only specific attributes of data in the DynamoDB table" hence, B
upvoted 1 times
...
...
ggrodskiy
1 year, 1 month ago
Correct C.
upvoted 1 times
Gmail78
1 year, 1 month ago
While resource-based policies can provide granular access control, they are typically used for controlling access within the same AWS account. Cross-account access control is typically achieved using IAM roles with trust relationships. It is B.
upvoted 1 times
AMohanty
1 year ago
No, Resource based policies can specify which Principals to give access to Cross Account.
upvoted 1 times
...
...
...
NikkyDicky
1 year, 2 months ago
Selected Answer: B
B. DynamoDB fine-grained access using IAM
upvoted 1 times
...
SkyZeroZx
1 year, 2 months ago
Selected Answer: B
B for sure. Key word: trust
upvoted 2 times
...
Maria2023
1 year, 2 months ago
Selected Answer: B
D would be the perfect choice, since the boundaries are the "new fancy thing" but it's lacking the trust to the marketing account which is a requirement to assume role from one account to another. So it should be B
upvoted 3 times
0c118eb
8 months, 3 weeks ago
This would not be a good use case for permissions boundaries by itself. Even with permissions boundaries you would still need to implement a solution like B to provide the required permissions.
upvoted 1 times
...
...
Alabi
1 year, 3 months ago
Selected Answer: B
B for sure. Key word: trust
upvoted 1 times
...
kfrum4
1 year, 3 months ago
Selected Answer: B
Answer: B DynamoDB doesn't support resource based policy https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
upvoted 2 times
ggrodskiy
1 year, 1 month ago
That is not correct. DynamoDB does support resource-based policies for tables and indexes. You can attach a resource-based policy to a DynamoDB table or index to specify who can access that resource and under what conditions. You can also use resource-based policies to grant cross-account access or fine-grained access control for specific DynamoDB attributes. For more information, please refer to this documentation: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
upvoted 1 times
...
...
Rajivjain
1 year, 3 months ago
Selected Answer: C
Resource-based IAM policy
upvoted 1 times
...
Roontha
1 year, 3 months ago
Answer : B
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel