exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 815 discussion

A company has a serverless multi-tenant content management system on AWS. The architecture contains a web-based front end that interacts with an Amazon
API Gateway API that uses a custom AWS Lambda authorizer. The authorizer authenticates a user to its tenant ID and encodes the information in a JSON Web
Token (JWT) token. After authentication, each API call through API Gateway targets a Lambda function that interacts with a single Amazon DynamoDB table to fulfill requests.
To comply with security standards, the company needs a stronger isolation between tenants. The company will have hundreds of customers within the first year.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create a DynamoDB table for each tenant by using the tenant ID in the table name. Create a service that uses the JWT token to retrieve the appropriate Lambda execution role that is tenant-specific. Attach IAM policies to the execution role to allow access only to the DynamoDB table for the tenant.
  • B. Add tenant ID information to the partition key of the DynamoDB table. Create a service that uses the JWT token to retrieve the appropriate Lambda execution role that is tenant-specific. Attach IAM policies to the execution role to allow access to items in the table only when the key matches the tenant ID.
  • C. Create a separate AWS account for each tenant of the application. Use dedicated infrastructure for each tenant. Ensure that no cross-account network connectivity exists.
  • D. Add tenant ID as a sort key in every DynamoDB table. Add logic to each Lambda function to use the tenant ID that comes from the JWT token as the sort key in every operation on the DynamoDB table.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
vinodkp
Highly Voted 2 years, 11 months ago
I support B
upvoted 13 times
sashsz
2 years, 7 months ago
Tips: https://aws.amazon.com/blogs/apn/isolating-saas-tenants-with-dynamically-generated-iam-policies/
upvoted 3 times
...
...
Smartphone
Highly Voted 2 years, 11 months ago
Answer seems to be B. Rather than creating table for each tenant, its better to use partition key in the already available table. This can be achieved with the LEAST operational.
upvoted 6 times
...
aewis
Most Recent 11 months, 1 week ago
Selected Answer: B
https://aws.amazon.com/blogs/security/how-to-secure-your-saas-tenant-data-in-dynamodb-with-abac-and-client-side-encryption/
upvoted 1 times
...
yyees
1 year, 7 months ago
answer seems B Following the context above, the tenant id would be created when the user is created "The company will have hundreds of customers within the first year." <- If the answer is A, it would make Table hundreds a year. (operational)
upvoted 1 times
...
Heer
1 year, 10 months ago
Looks like its Option A: One solution that meets these requirements with the least operational overhead would be to use DynamoDB table partitioning (also known as sharding) to create separate partitions for each tenant. Each partition would have a unique primary key that includes the tenant ID, and all requests for a particular tenant would be directed to the corresponding partition. This would provide stronger isolation between tenants, as each tenant's data would be physically separated in the DynamoDB table. Additionally, by using a custom authorizer in the API Gateway, the Lambda function could easily extract the tenant ID from the JWT token and use it to determine which partition to access in the DynamoDB table. This solution would not require any significant changes to the existing architecture, and would scale easily as the number of tenants increases.
upvoted 1 times
...
Yashar1691
2 years, 2 months ago
Selected Answer: B
B is correct: https://aws.amazon.com/blogs/apn/multi-tenant-storage-with-amazon-dynamodb/
upvoted 2 times
...
kadev
2 years, 3 months ago
This Question is very confuse. Maybe is error from admin. "LEAST operational overhead" => if A, seperate by tablename, in the future when need to add more tenant you need create more table, with B you dont need do anymore "a stronger isolation between tenants" i think, for this stituation mean of question: find a soluiton that stronger isolation than current solution, not mean find the best soluiton for isolation.
upvoted 1 times
...
gnic
2 years, 3 months ago
Selected Answer: A
Partition key is not for isolation. I support A
upvoted 1 times
...
cen007
2 years, 4 months ago
Selected Answer: A
A. reason "To comply with security standards, the company needs a stronger isolation between tenants." https://aws.amazon.com/blogs/apn/multi-tenant-storage-with-amazon-dynamodb/ 1. Separate database – each tenant has a fully isolated database with its own representation of the data.... best ISOLATION but the question is about multi-tent. 2. Shared database, separate schema (Table Name Partitioning) – tenants all reside in the same database, but each tenant can have its own representation of the data. STRONGEST ISOLATION FOR MULTI-TENANT. but requires more operational than partition. 3. Shared everything (Index Partitioning)– tenants all reside in the same database and all leverage a universal representation of the data....EASIEST TO MANAGE BUT NOT LESS ISOLATION, prone to nosy neighbors.
upvoted 2 times
...
ArreRaja
2 years, 6 months ago
B. The choice is augmenting partition key with tenant id vs Silo keys in multiple tables (increased overhead) https://aws.amazon.com/blogs/apn/partitioning-pooled-multi-tenant-saas-data-with-amazon-dynamodb/
upvoted 4 times
makpk
2 years, 5 months ago
The link also explains to take the approach further by introducing a randomised suffix to the partition key, and introduce fine grain controlled access in coordination with STS
upvoted 3 times
...
...
ssSsEclipse
2 years, 6 months ago
for those selecting B/D, you cant update the partition key and sort key in an existing table
upvoted 4 times
...
jnxtx
2 years, 7 months ago
Selected Answer: B
Qns deals with the implementation of custom permission policies. The details of each policy should be stored in a central table with the client id as the partition key for quick retrival andthe subsequent creation of the custom policy. Much less operational overhead and also side benefit, better for backups
upvoted 3 times
...
tkanmani76
2 years, 11 months ago
Creating seperate accounts, different tables for tenants has more operational overhead. Partionkey based approach is the right way - Option B.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...