ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 185 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 185
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company's finance team has a data processing application that uses AWS Lambda and Amazon DynamoDB. The company's marketing team wants to access the data that is stored in the DynamoDB table.

The DynamoDB table contains confidential data. The marketing team can have access to only specific attributes of data in the DynamoDB table. The finance team and the marketing team have separate AWS accounts.

What should a solutions architect do to provide the marketing team with the appropriate access to the DynamoDB table?

  • A. Create an SCP to grant the marketing team's AWS account access to the specific attributes of the DynamoDB table. Attach the SCP to the OU of the finance team.
  • B. Create an IAM role in the finance team's account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team's account. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account.
  • C. Create a resource-based IAM policy that includes conditions for specific DynamoDB attributes (fine-grained access control). Attach the policy to the DynamoDB table. In the marketing team's account, create an IAM role that has permissions to access the DynamoDB table in the finance team's account.
  • D. Create an IAM role in the finance team's account to access the DynamoDB table. Use an IAM permissions boundary to limit the access to the specific attributes. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Roontha at May 28, 2023, 3:04 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
andreitugui
Highly Voted 2 years, 1 month ago
Selected Answer: B
Answer is B
upvoted 9 times
...
pk0619
Most Recent 6 months, 2 weeks ago
Selected Answer: C
B was right answer until DynamoDB started supporting resource based policies, which makes C right.
upvoted 1 times
...
liuliangzhou
10 months ago
Selected Answer: B
I prefer B over C. Attach the policy (specific DynamoDB attributes) to the DynamoDB table. This will result in the finance team's account not being able to fully access DynamoDB.
upvoted 1 times
...
fartosh
1 year, 1 month ago
Selected Answer: C
I choose C over B. Both solutions work and are standard approaches for allowing cross-account access. But as compared to S3, option C allows the marketing account to use their usual IAM identities without compromising their permissions. When you assume the role in a different account (option B), you can no longer access resources in your own account. The resource-based policy for the DynamoDB table supports conditions as well: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html#rbac-examples-cross-account
upvoted 2 times
helloworldabc
10 months, 1 week ago
just B
upvoted 1 times
kgpoj
10 months, 1 week ago
Dude stop generating garbage info for everyone. I've seen you replying a lot of `just X`. If you have a reason for some choice, then write it down. `just x` sounds so dumb and premature.
upvoted 12 times
...
...
...
sse69
1 year, 1 month ago
Selected Answer: B
Starting march 24', DynamoDB supports resource based policies : https://aws.amazon.com/about-aws/whats-new/2024/03/amazon-dynamodb-resource-based-policies/ So another way to achieve this would be to create an index for the marketing team, and have the policy restrict their role to that particular index. On the one hand the new index would incur more costs, on the other hand, having only certain attributes fetched would mean less read units consumed...
upvoted 3 times
...
yuliaqwerty
1 year, 6 months ago
B https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_attributes.html
upvoted 3 times
...
career360guru
1 year, 7 months ago
Selected Answer: B
Option B as DynamoDB does not support Resource based policies.
upvoted 2 times
LuongTo
7 months, 1 week ago
Amazon DynamoDB now supports resource-based policies from Mar 20, 2014 https://aws.amazon.com/about-aws/whats-new/2024/03/amazon-dynamodb-resource-based-policies/
upvoted 1 times
...
erenbiku1
1 year, 6 months ago
Service-linked roles for DynamoDB is not supported Service roles for DynamoDB is supported Identity-based policies for DynamoDB is supported Resource-based policies within DynamoDB is not supported
upvoted 1 times
...
...
AMohanty
1 year, 10 months ago
For Cross Account permission we attach Resource Policy with Principal identified as incoming Request Account ARN + IAM permissions to query the Finance Account. C seems more of a resonable answer.
upvoted 1 times
chikorita
1 year, 10 months ago
i dont think C can address the requirement of "he marketing team can have access to only specific attributes of data in the DynamoDB table" hence, B
upvoted 1 times
...
...
ggrodskiy
1 year, 11 months ago
Correct C.
upvoted 1 times
Gmail78
1 year, 10 months ago
While resource-based policies can provide granular access control, they are typically used for controlling access within the same AWS account. Cross-account access control is typically achieved using IAM roles with trust relationships. It is B.
upvoted 1 times
AMohanty
1 year, 10 months ago
No, Resource based policies can specify which Principals to give access to Cross Account.
upvoted 1 times
...
...
...
NikkyDicky
2 years ago
Selected Answer: B
B. DynamoDB fine-grained access using IAM
upvoted 1 times
...
SkyZeroZx
2 years ago
Selected Answer: B
B for sure. Key word: trust
upvoted 3 times
...
Maria2023
2 years ago
Selected Answer: B
D would be the perfect choice, since the boundaries are the "new fancy thing" but it's lacking the trust to the marketing account which is a requirement to assume role from one account to another. So it should be B
upvoted 3 times
0c118eb
1 year, 6 months ago
This would not be a good use case for permissions boundaries by itself. Even with permissions boundaries you would still need to implement a solution like B to provide the required permissions.
upvoted 1 times
...
...
Alabi
2 years ago
Selected Answer: B
B for sure. Key word: trust
upvoted 3 times
...
kfrum4
2 years ago
Selected Answer: B
Answer: B DynamoDB doesn't support resource based policy https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
upvoted 2 times
ggrodskiy
1 year, 11 months ago
That is not correct. DynamoDB does support resource-based policies for tables and indexes. You can attach a resource-based policy to a DynamoDB table or index to specify who can access that resource and under what conditions. You can also use resource-based policies to grant cross-account access or fine-grained access control for specific DynamoDB attributes. For more information, please refer to this documentation: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
upvoted 1 times
...
...
Rajivjain
2 years, 1 month ago
Selected Answer: C
Resource-based IAM policy
upvoted 1 times
...
Roontha
2 years, 1 month ago
Answer : B
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel