ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Big Data - Specialty All Questions

View all questions & answers for the AWS Certified Big Data - Specialty exam
Go to Exam

Exam AWS Certified Big Data - Specialty topic 2 question 18 discussion

Exam question from Amazon's AWS Certified Big Data - Specialty
Question #: 18
Topic #: 2
[All AWS Certified Big Data - Specialty Questions]

A gaming organization is developing a new game and would like to offer real-time competition to their users. The data architecture has the following characteristics:
✑ The game application is writing events directly to Amazon DynamoDB from the user's mobile device.
✑ Users from the website can access their statistics directly from DynamoDB.
✑ The game servers are accessing DynamoDB to update the user's information.
✑ The data science team extracts data from DynamoDB for various applications.
The engineering team has already agreed to the IAM roles and policies to use for the data science team and the application.
Which actions will provide the MOST security, while maintaining the necessary access to the website and game application? (Choose two.)

  • A. Use Amazon Cognito user pool to authenticate to both the website and the game application.
  • B. Use IAM identity federation to authenticate to both the website and the game application.
  • C. Create an IAM policy with PUT permission for both the website and the game application.
  • D. Create an IAM policy with fine-grained permission for both the website and the game application.
  • E. Create an IAM policy with PUT permission for the game application and an IAM policy with GET permission for the website.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by mattyb123 at Aug. 26, 2019, 6:53 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Bulti
Highly Voted 3 years, 7 months ago
Answer : A, D A- Mobile app integrating with an application hosted on AWS. So Cognito is a default choice allowing user to use their social media account to login and assume temporary credentials to login to the org application backing the mobile app or the website server backing the website assuming there are 2 different backend application for the mobile and web app. B- Not a good choice for mobile users. Works for internal users. C- This is wrong as the website needs the ability to do a GET as well. D- Refer to this link -> https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html and go down to the Limiting User access section where you will see how both the mobile app and the website users can be restricted using fine grained IAM policy using their AWS user ID or their google or facebook userID. E- Not a good choice because we want users to access only their statistical information and to be able to update their own profiles.
upvoted 8 times
certish
3 years, 7 months ago
AD looks correct. D is a very clear choice based on the link that you provided.
upvoted 1 times
...
matthew95
3 years, 7 months ago
A,D - exactly, for example, the game app preceding limits access in this way so that users can only access game data that is associated with their user ID.
upvoted 1 times
vicks316
3 years, 7 months ago
How would D work when website requires read permissions whereas the gaming application requires write access. Can the same IAM policy have a read permission for website and write permission for gaming app? Having one policy for each permission is cleaner in my opinion, going with A and E.
upvoted 1 times
DerekKey
3 years, 7 months ago
Can the same IAM policy have a read permission for website and write permission for gaming app? -> YES can have
upvoted 1 times
...
...
...
...
mattyb123
Highly Voted 3 years, 8 months ago
Thoughts on A & D? https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_temp.html https://aws.amazon.com/iam/ https://aws.amazon.com/blogs/security/create-fine-grained-session-permissions-using-iam-managed-policies/
upvoted 5 times
...
hailiang
Most Recent 3 years, 7 months ago
It is BD, A is wrong since if you need the app or website to access to ddb, you need Cognito Identity Pool, but not only User Pool.
upvoted 1 times
DerekKey
3 years, 7 months ago
Hailiang is 100% correct - Identity pool use cases - Give your users access to AWS resources, such as an Amazon DynamoDB table. BUT When you create User Pool you will be forced to create at least one Identity Poll :) Since a gaming organization is developing a !!new game!! the option A&D would fit best; - Use Amazon Cognito user pool to authenticate to both the website and the game application. - Create an IAM policy with fine-grained permission for both the website and the game application.
upvoted 1 times
...
...
askaron
3 years, 7 months ago
A and D. I thought A and E at first sight, but fine grained is necessary, as you don't want to allow the website itself, but a user coming from that website. Also, it is possible to have multiple statements in a policy, as some thought that this is not possible: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html
upvoted 1 times
...
alopazo
3 years, 7 months ago
A + D https://aws.amazon.com/blogs/aws/fine-grained-access-control-for-amazon-dynamodb/
upvoted 1 times
...
piemar
3 years, 7 months ago
Why not B and E E is more finegrained as it is only allowing read for website and write for mobile
upvoted 1 times
...
san2020
3 years, 8 months ago
my selection AE
upvoted 2 times
...
AdamSmith
3 years, 8 months ago
A is obvious. D sounds right but the catch is using a single IAM policy for both the web server and the app, which is pretty bad. E satisfies the requirements. Still a hard choice but I'd go with E.
upvoted 1 times
...
ME2000
3 years, 8 months ago
Option B Identity Providers and Federation It is also useful if you are creating a mobile app or web application that requires access to AWS resources. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
upvoted 1 times
...
BigEv
3 years, 8 months ago
A is correct for sure. Not sure whether D or E should be the 2nd answer
upvoted 1 times
chaudh
3 years, 8 months ago
A&E; D is incorrect because we need different policies for game application role & user role from mobile devices.
upvoted 4 times
hailiang
3 years, 8 months ago
in d it just says fine grained control but nothing about same or diff policies, so d is good
upvoted 1 times
...
...
...
bigdatalearner
3 years, 8 months ago
what's the right answer , any conclusion ?
upvoted 1 times
d00ku
3 years, 8 months ago
I'm sure about A but not sure between D and E. My issue with D is that is states "create one IAM policy" - not sure if it can accommodate both user types (mobile, web) which need different permissions. E seems straightforward - PUT for mobile and GET for web...
upvoted 1 times
s3an
3 years, 8 months ago
Option D&E both says "an IAM policy", so it doesn't mean same permission for both mobile and web. Answer still seems to be AD
upvoted 1 times
...
...
...
ranabhay
3 years, 8 months ago
Hi, Need your input. Are these question really on actual exam? all of them? Have you scheduled/taken your exam how did you perform ?
upvoted 2 times
mattyb123
3 years, 8 months ago
Yes, @ranabhay majority of these questions were on my exam. But as you have noticed some of the selected answers are incorrect which is why i have been so active to discuss the reasons why for certain answers. As you can tell with these questions they aren't worded very well on purpose to make you either over or under think the solution.
upvoted 5 times
...
...
jlpl
3 years, 8 months ago
A=cognito, -> mobile device D= fine grain IAM make sense,
upvoted 3 times
cybe001
3 years, 8 months ago
question doesn't say mobile app. I think BE is correct
upvoted 2 times
s3an
3 years, 8 months ago
"The game application is writing events directly to Amazon DynamoDB from the user’s "mobile device" ...so it's a mobile app. Also fined grain IAM access doesn't mean single policy for both. AD seems right
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel