ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 276 discussion

Exam question from Amazon's AWS-SysOps
Question #: 276
Topic #: 1
[All AWS-SysOps Questions]

An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?

  • A. Define the group policy and add a condition which allows the access based on the IAM name
  • B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
  • C. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
  • D. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. AWS
DynamoDB has only tables and the organization cannot make separate databases. The organization should create a table with the same name as the IAM user name and use the ARN of DynamoDB as part of the group policy. The sample policy is shown below:
by karmaah at Dec. 20, 2019, 6:59 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
albert_kuo
10 months, 3 weeks ago
Selected Answer: B
This approach suggests that you create a DynamoDB table for each IAM user, using the user's name as part of the table name, and then define a policy allowing access to only their specific table. While this could technically work, it's not a recommended practice due to the potential complexities and limitations it introduces. In most cases, it's better to manage access control using IAM policies and proper roles rather than trying to map resources like DynamoDB tables to user names. IAM policies provide more flexible and manageable access control mechanisms, especially as your organization and resource usage grow.
upvoted 2 times
...
FHU
2 years, 4 months ago
The implementation of (B) may work, but is very strange. Who would do this?
upvoted 2 times
...
xxxdolorxxx
2 years, 7 months ago
I vote B
upvoted 2 times
...
sunilpanda
2 years, 8 months ago
B "Resource": "arn:aws:dynamodb:*:*:table/${aws:username}"
upvoted 4 times
...
holydrac
2 years, 9 months ago
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_specific-table.html
upvoted 3 times
...
awscertified
2 years, 9 months ago
B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
upvoted 3 times
...
karmaah
2 years, 9 months ago
Incorrect Policy Sample screenshot attached from the previous question answer.
upvoted 3 times
FHU
2 years, 4 months ago
Yep, the screenshoft is really incorrect.
upvoted 1 times
...
narayanan010
2 years, 9 months ago
Hi Karmaah, could you please confirm if D is the right answer for this question?
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel